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Foreword 


In February 2004, at the Universitat Politécnica de Catalunya, we presented a 
45-hour Advanced Course on Contemporary Cryptology, organised by the Centre 
de Recerca Matematica. This volume is an expanded and unified version of the 
material presented in the lectures and the background material that we distributed 
among the participants. 

As the title implies, our aim in the course and in this text is to treat selected 
topics of the subject of contemporary cryptology, structured in five quite inde- 
pendent but related themes: Efficient distributed computation modulo a shared 
secret, multiparty computation, modern cryptography, provable security for pub- 
lic key schemes, and efficient and secure public-key cryptosystems. The beauty 
and multidisciplinarity of this topic motivated the interest of the participants, to 
whom we are very much indebted for their helpful contributions. 

Thanks are due to the Centre de Recerca Matematica for organising and 
sponsoring the Advanced Course, to the CRM administrative staff for smoothly 
working out innumerable details, and to Paz Morillo for the mathematical organ- 
isation of the course and for making it such a pleasant experience. Special thanks 
go to all the participants of the course for their interest in the event and for their 
many comments on the material. 


Efficient Distributed Computation Modulo 
a Shared Secret 


Dario Catalano 


1. Introduction 


In several cryptographic protocols a number of participants is required to have 
an RSA [49] modulus for which none of them knows the factorization. A typical 
example is the well known Fiat-Shamir identification scheme [22] on which all 
the players use the same modulus but none of them is supposed to know the 
factorization (for other examples the reader may look at [21, 28, 39, 43, 44]). In 
principle a simple solution to this problem would be to allow the “existence” of an 
external (with respect to the set of players) dealer which initialize the system by 
providing a modulus N to the players, without revealing them the corresponding 
factorization. The problem with this solution is, of course, that this dealer has to 
be trusted, in the sense that he has to be completely honest: he should not reveal 
the factorization and he should provide a correctly generated modulus. 

In other scenarios the players are required not only to share an RSA modulus, 
but they need one of some special form. For instance, N is typically required to 
be the product of two safe primes, i.e. primes of the form p = 2p’ + 1, where 
p’ is itself a prime, (see [14, 31, 52] for example). While the need of safe primes 
can sometimes be avoided (as in [15, 23]) this comes often at the cost of needing 
additional assumptions. 

Another case where shared generation of RSA moduli is very useful is thresh- 
old cryptography (see [30] for a nice survey on this topic). As a motivating example 
consider the case of threshold RSA signatures. Let N be an RSA modulus (N = pq 
where p and gq are both primes), e be the public verification key and d the corre- 
sponding (secret) signing key. Clearly one has that ed = 1 mod ¢(N). A threshold 
RSA signature is something quite similar to standard RSA signatures, but it in- 
volves n parties and has the additional property that any subset of, say, t+1<n 
parties, can generate a valid signature but no less than t+ 1 players can do the 
same. For this specific case we talk of t+ 1 out of n threshold signature scheme. 
Another interesting feature of this type of signatures is that, unlike secret sharing 
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schemes [51], the signature is produced without explicitly revealing the private key. 
To understand how this can be possible let us consider the following approach (orig- 
inally presented in [24]) to obtain an n out of n threshold RSA signature scheme. 
To every players is given a (random) share d; such that 5>;_, d; = d mod @(N). 
Then, to sign a message m, the player P; computes o; = ms mod N and sends 
this value to an external party which we can call a combiner and which has no 
secrets. The combiner simply multiplies all the received contributions and gives 
back to the players 


n 
c= [[< mod N = m@+--+4 mod N = m4 mod N 

i=1 
The obvious advantage of this solution is that no player has to store delicate 
information (such as a signing key would be) in his own private memory. Moreover 
this basic solution can be generalized to work in a more general scenario to provide 
a t-out-of-n solution (see [16, 19, 25, 48, 52] for details). 

However, as already pointed out before, the above discussion suggests that 

a trusted dealer initializes the system for the players (by generating the RSA 
modulus and providing them the shares of the signing exponent). Clearly, however, 
if an intruder can compromise the dealer, he becomes able to forge signature 
without needing to access the players internal memory. Thus the external dealer 
should be not only completely honest but also “protected” enough to guarantee 
security. For these reasons, whenever possible, one would like not to rely on the 
assumption that such a dealer is available. 


In this lecture we describe some efficient algorithms that allow a set of players 
to generate shared RSA keys without assuming the existence of a trusted dealer 
(interestingly efficient solutions were already known for the El-Gamal cryptosys- 
tem [20, 33, 45]). Specifically we present a “modular” approach to the problem: 
we propose several algorithms that can later be combined to perform the desired 
tasks. Note that, in theory, to generate a shared RSA key one can to resort generic 
secure circuit evaluation techniques [5, 12, 37, 55]. After all one can always take 
any (standard) algorithm to generate RSA keys and convert it into a boolean (or 
arithmetic) circuit. Then for each gate of this circuit the players perform a distrib- 
uted multiplication modulo a small (publicly available) prime p. As a consequence 
this general technique is rather inefficient and can hardly be considered practical 
(indeed note it requires that some distributed computation is performed for each 
gate in the circuit, and the circuit can be pretty big). 


1.1. Previous Work 


BONEH-FRANKLIN. The first to address the issue of an efficient solution for the 
problem of generating shared RSA keys were Boneh and Franklin who, in a break- 
through result, show how n > 2 parties can jointly generate an RSA key without a 
trusted dealer [7]. The main contribution of their paper is an efficient distributed 
algorithm to perform a biprimality test: the n parties jointly generate a candidate 
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modulus N and then engage in a private distributed protocol to test that N is 
actually the product of two primes. The distributed biprimality test algorithm is 
n—1 private, meaning with this that no coalition of at most n — 1 players should 
be able to get any information about the factors of N (beyond, of course, what 
is revealed by N itself). We will not present the details of this construction here 
(the interested reader is referred to the original paper), essentially for the sake 
of modularity: we describe (somehow) simple protocols and then we show how to 
combine them to address more complicate tasks. 


OTHERS. Building on the Boneh-Franklin solution, Frankel, Mc Kenzie and Yung 
describe in [27] a way to add robustness * to the protocols in [7]. The FMY protocol 
follows the structure of [7] and allows to obtain a t-out-of-n threshold protocol 
(originally the Boneh-Franklin proposal allows for an out of n solution). Moreover 
in order to achieve a t-out-of-n threshold, the FMY protocol uses representation 
changes for the sharing of the secret data. Namely, data which is shared in a t-out- 
of-n fashion is converted into a t-out-of-t fashion in order to perform computations, 
and then re-converted into a t-out-of-n sharing to preserve tolerance of crashing 
or malicious players. We will not discuss these issues here. 

Some of the techniques that we present in this work originated in papers 
over robust and proactive RSA. In particular, working over the integers in order 
to overcome the difficulty of computing modulo an unknown integer was used in 
several previous papers [26, 32, 25, 48]. 

Finally we note that the main results presented in this article are essentially 
from the papers “Efficient Computation Modulo a Shared Secret with Application 
to the Generation of Shared Safe-Prime Products” by Joy Algesheimer, Jan Ca- 
menish and Victor Shoup (appeared in the proceedings of Crypto 2002) [1] and 
“Computing Inverses over a Shared Secret Modulus” by Dario Catalano, Rosario 
Gennaro and Shai Halevi (appeared in the proceedings of Eurocrypt 2000) [11]. 
More precisely the results presented in Sections 5, 6, 7, 8 and 9 are from [1] while 
the results presented in Section 11 are from [11]. 


1.2. Organization of this Lecture 


We start by introducing some preliminaries in Section 2 (and in particular we 
give definitions and notations and we discuss the network model we are going 
to employ in the rest of this document). Then in Section 3 we describe some 
well known secret sharing methods. In Section 4 we discuss some basic protocols 
that are going to be useful as tools to “construct” the protocols we will later 
describe. Section 5 is devoted to describe a quite unusual approach to perform 
modular arithmetic. In Section 6, we describe some methods to convert between 
different secret sharing schemes. Then we present efficient algorithms to perform 
some distributed computation with respect to a shared modulus — and in particular 
to perform modular reductions — in Section 7. On top of this we pass discussing 


lInformally a protocol is said to be robust if it maintains its security properties even in the 
presence of maliciously behaving players. 
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some important applications of the distributed modular reduction algorithm in 
Sections 8 and 9. In Section 10 we illustrate how to generate shared RSA keys. 
Finally we discuss an efficient algorithm to compute inverses over a shared secret 
modulus in Section 11. 


2. Preliminaries 


2.1. The Network Model 


We consider a network of n players, that are connected by point-to-point private 
channels and by a broadcast channel.? We model failures in the network by an 
adversary A, who can corrupt at most t of the players. We distinguish between 
the following types of “failures”: 


e honest but curious: the adversary can just read the memory of the corrupted 
players but not modify their behavior; 

e halting: an “honest but curious” adversary who may also cause any of the 
corrupted players to crash and abort the protocol; 

e malicious: the adversary may cause players to deviate arbitrarily from the 
protocol. 


For the sake of simplicity we will present protocols that are secure with 
respect only to an honest but curious behaving adversary, which moreover is static, 
i.e. the set of corrupted players is decided at the beginning of the computation of 
a protocol. Note that all the above assumptions can be relaxed using standard 
techniques. For example it is possible to force the parties to behave honestly by 
having them to commit to their inputs and to prove (using the so called zero- 
knowledge proofs[38, 36]) that they followed the protocol correctly. However we 
believe that such a formulation would make the presentation more intricate, thus 
distracting the reader from the focus of this article, which are the protocols for 
efficient distributed computations modulo a shared value. 

Finally we assume communication is synchronous, except that we allow rushing 
adversaries (i.e. adversaries who decide the messages of the bad players at round 
R after having seen the messages of the good players at the same round). 


2.2. Definitions and Notations 


In the following we denote with N the set of natural numbers and with R* the set 
of positive real numbers. We say that a function negl : N > R* is negligible iff for 
every polynomial P(n) there exists a no € N s.t. for all n > no, negl(n) < 1/P(n). 

Let X; and Y; be two probability distributions on the set {0,1}* (this means 
that by a — X, we intend that a € {0,1}* and it is chosen according to the 


?The communication assumptions allow us to focus on a high-level description of the protocols, 
and they can be eliminated using standard techniques for privacy, authentication, commitment 
and agreement. 
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distribution X;,). We say that X; and Y; are statistically indistinguishable if there 
exist a negligible function negl(-) such that for sufficiently large k 


S- |Pro—x, [x = a] — Pry.y,[y = a]| < negl(k). 
Vae{0,1}* 


A (probabilistic) distributed protocol for a task T, running in a network of n 
players is a sequence of programs R = (Ri,...,R,) where R; is the program ran 
by the player P; 

CORRECTNESS. Let 2,...,% be a secret sharing of some secret x, where 2; 
constitutes the local input of player P;. We say that a protocol R for a task T is 
correct if its output values d1,...,d, constitute a secret sharing of T(a) = d. 
PRIvAcy. We define privacy using the usual simulation approach. That is, we 
consider the view of the adversary A during a protocol to be the set of messages 
sent and received by the bad players during a run of the protocol. We say that 
a protocol is private if for any adversary A there exists a simulator S that runs 
an execution of the protocol together with A and produces for it a view that is 
indistinguishable from the real one. 

SECURITY. We say that a protocol is secure if it is correct and private. 


Remark 1. We point out here that basically all the protocols we are going to 
present in this article can be proven secure with respect to a slightly different 
definition, proposed by Canetti [8]. Roughly speaking, Canetti suggested a model 
in which one shows that a protocol is secure by proving that running the protocol 
is just as safe as running an idealized computational process where security is 
inherently guaranteed. In the context of secure multiparty computation this “ideal 
process” can be seen as all the players handing their inputs to some trusted third 
party who performs the required computation and outputs back to each player the 
appropriate “portion” of the function. Thus, in this ideal process, the adversary 
controlling a minority of players is very limited, because he can only learn and 
possibly modify the data of the corrupted players. Next we say that a protocol 
securely performs the required task if it is correct and executing the protocol 
amounts to emulating the ideal process for the considered task. 

Using this definition it is possible to prove that security is preserved under non 
concurrent, modular composition of protocols [8]. 

For the sole sake of simplicity, however, we preferred to not consider this definition 
here and prove our protocols secure with respect to the simpler one given before. 


3. Building Blocks 


In this section we will discuss some well known secret sharing methods. First, 
however, we introduce some terminology. The efficiency of a multiparty protocol 
is in general measured in terms of two parameters: the communication complex- 
ity and the round complexity. The first parameter measures the number of bits 
sent by each player. The round complexity, on the other hand, is the number of 
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communication rounds that the parties have to perform in order to complete the 
protocol. As an additional parameter we consider the bit-complexity that measures 
the number of bit-operations performed by each player. 

In the following we will assume that q is a public prime number and that n 
is the number of players involved in the protocol (and in particular g > n). All the 
primitives presented in this lecture require O(1) rounds of communication. Fur- 
thermore, denoted with k the size of the prime q, their communication complexity 
is O(kn) bits. 


3.1. Additive Sharing over Z, 


To share a secret a, player P; chooses n — 1 random elements a; € Z, (for i # j) 
and sends a; to player P;. Finally he sets his own share a; as 


n 
aj=a— S- a; mod q. 
i=1 Aj 

Note that a player has to perform n additions to share a secret. Since adding 
two k-bit integers requires k bit operations the entire operation can be done with 
O(kn) bit operations. 

To (publicly) reconstruct the secret every player is required to disclose his 
share. The secret value is obtained as the sum of all the published contributions. 


3.2. Polynomial Sharing over Z, 


In this section we describe a method for constructing a t+ 1 out of n (with t < n) 
threshold scheme originally proposed by Shamir [51]. This method allows n players 
to share a secret in a way such that any subset of t+1 participants can later retrieve 
the secret but no subgroup of, at most, t participants can do so. 

To share a secret a a player P; randomly chooses t elements 0; € Z, and sets f(z) 
as the polynomial 


t 
f(2)) =at+ S- b;z' mod q. 
i=1 
Then for i #4 7 he sends the values f(z) to player P;. Note that the polynomial 
is evaluated only for small inputs (i.e. f(z) is computed only for the i’s denoting 
the indexes of the remaining players), this means that we can safely assume that 
z < logn in the above relations. Thus, since we can assume that multiplying a 
k-bit integer by a ¢ bit integer requires O(ké) bit operations, we can conclude that 
the proposed method requires 


1. ¢ additions of k bit integers. This costs, of course, at most O(tk) bit opera- 
tions. 

2. t exponentiations of a logn bit integer to a logn bit exponent. The cost of 
such exponentiations can be bounded by O(tn log? n). 

3. ¢ multiplications of a k-bit long number with a (at most) tlog n-bit number. 
This produces a cost of O(t?k log n) bit operations. 
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Thus, since t <n and logn << k we have a total bit complexity of O(n?k log n). 

Let us give a look on how any subset of t+ 1 participants can reconstruct 
the secret. Basically this is achieved by means of polynomial interpolation. Here 
we will describe a simple method to do that, based on the Lagrange interpolation 
formula for polynomials. 

In a nutshell the Lagrange interpolation formula allows one to retrieve the 
unique polynomial f of degree at most ¢ from t+ 1 points of it. Let S = {P;,,..., 
Pi,,,} be any subset of t+ 1 players. The formula is 


t+1 


f=Dte) TT = * moa, 





tq —t 
1<k<t+i,kej J 


Since we are interested only in the free term of the polynomial we can rewrite 
the formula as 





t+1 
FO) =D FG)  [] pap moda 
j=l 1<k<ttirej 9 


If we set 





Ni, = II - — mod q, 


J 


then we have that 





We will refer to the X’s as to the Lagrange interpolation coefficients. Note 
that their value depends on q but is independent from the specific polynomial one 
wants to interpolate. For this reason the Lagrange interpolation coefficients can 
be precomputed and their values do not need to be kept secret. 


3.3. Additive Sharing over Z 


To share a secret a, chosen in a given interval [—A, A] player P; chooses n — 1 
random elements a; in the larger interval [—A2?, A2?], where, as usual, 1 4 7. Then 
he sets a; = a— eres a; and sends a; to player P;. The need of considering a 
larger interval to choose the a,;’s comes from the fact that one has to make sure 
that the shares release no information (in a statistical sense) about the secret being 
shared. Note that we did not have this problem when considering additive sharing 
modulo a prime. The problem here is that the quantity a; = a— yaa ifgj Mi when 
computed over the integers, is in general not random and may strongly depend on 
the specific secret a. It goes without saying that having shares that depend too 
much on the secret is not a very desirable problem when designing a secure secret 
sharing scheme. To overcome this problem we impose to choose the a,’s in a interval 
that is sufficiently larger than the one where a is sampled. In this way it is possible 
to prove that for sufficiently large p (in practice one may set p = 128 for instance), 
the distributions of shares of distinct secrets are statistically indistinguishable, for 
any set of n — 1 players. 
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A simple analysis shows that this sharing technique requires O(n(p + log A)) 
bit operations. 


3.4. Polynomial Sharing over Z 


In principle, to share a secret using polynomials over the integers, one may think 
of using the same technique described in Section 3.2 for the case of polynomials 
over Z,. There are some technical problems that need to be discussed however. 
First of all to share a secret a, chosen in a given interval [— A, A] one has to choose 
the coefficients 6; of the polynomial in a larger interval [—A2?, A2?] (for similar 
reasons as those seen for the case of additive sharing over Z). 

The second difficulty is a little more subtle. In order to prove that a secret sharing 
scheme is secure one has to prove that, unless enough players pool together their 
shares and become thus able to reconstruct the secret, no information (either in an 
information theoretic or computational sense) about the secret is revealed. When 
the sharing is performed via a t degree polynomial this means that t + 1 shares 
are sufficient to interpolate the secret. On the other hand no information about 
the secret should be obtained from up to t shares. A way to prove this may be 
to show that the distribution of ¢ shares of some secret a with polynomial f(z) is 
indistinguishable from the distribution of t shares that result from sharing another 
value b with polynomial f (without loss of generality we assume that the t shares 
are those of players 1,...,¢). In other words one has to prove that, with high 
probability, there is a sharing of b using polynomial f with integer coefficients in 
the same range as f and such that f(j) = f(j) (for j =1,...,t). A way to achieve 
this is to define a polynomial h(z) such that h(0) = a—band h(1) =... = h(t) =0. 
Then the desired polynomial is f(z) = f(z) — A(z). 

Observe that the polynomial h(z) can easily be interpolated as 








where the coefficient of z’ is 


Hen(-J) 
4 > b) = oe, 
BC(i,...,t},|B|=i T]j=1 eee l=9) 


Note, however, that the above coefficients are not necessarily integers (actu- 
ally they are fractions). 

To overcome this problem we adopt the following trick. To share a secret a one 
shares the related value La, where L = n!. In this way the polynomial h(z) above 
can be re-defined as the one such that h(0) = (a — 6)L and A(1) =... = h(t) =0. 
That is 
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where the coefficient of z’ is 


Hyen(-J) 
vo-) ilo 
Ben ees ee 


Note that because L = n! this value is an integer. Moreover it can be bounded 
in absolute value by 
t — b)Lt! 
S- Ha~b) < L(a—0)({) < SHPEE < ayy s A. 
1: — 1). 


u 
BC{l....,t},|B]=i 


This means that the coefficients of f(z) are in the range [-L2A—2°A,2°A+ L? A], 
Thus the probability that they are outside the legal range is itt = es. 


which for sufficiently large p is negligible. 


4. Basic Protocols 


Once we briefly described some secret sharing basics, we pass considering some 
important protocols to perform some basic tasks that are going to be used as 
underlying building blocks for the protocols presented in the following sections. 


4.1. Distributed Computation Modulo q 


In this paragraph we briefly discuss the problem of performing basic operations 
with shared secrets using the polynomial sharing technique described above. The 
basic operations we want to perform are essentially the following: 


1. Multiplication or addition of a constant (public) value and a polynomially 
shared secret. 
This is done by having each player multiply (or add) his share to the constant. 
This is because, by the properties of polynomials, if f(z) is a share of a, then 
f (2) + ¢ will be a share of a+ c and cf (2) one of c- a. 

2. Addition of two polynomially shared values. 
This is done by having the players locally add their own shares. In particular 
denoting with f(i) a share of a secret a and with g(z) a share of a secret 8, 
the value f(z) + g(z) is actually a share of the sum a+ b. 

3. Multiplication of two polynomially shared values. 
This is just a little more complicate. In principle one can adopt the same 
strategy already described for addition: every player locally multiplies his 
own shares f(z) and g(z) and sets h(7) = f(z)g(i) as his share of the product 
(note that the free coefficient of the polynomial h(x) is actually f(0)g(0)). 
However there are two problems with using the polynomial h(x) to encode 
the product of the two secrets. The first, rather obvious, is that, if f and g are 
polynomials of degree t their product will be a polynomial of degree 2t. This 
fact creates no problems in interpolating h if n is bigger than 2t. However 
it is easy to see that further multiplications raise the degree and once such 
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degree becomes larger than n, interpolation becomes impossible (we will not 
have enough points). 

The second problem is more subtle: h(z) is not a random polynomial of degree 
2t (for example, being a product of two polynomials, it is not irreducible). 
To solve these problems one can adopt a solution proposed by Ben-Or, Gold- 
wasser and Widgerson [5] that allows to efficiently randomize the coefficients 
of the polynomial h(a) and to reduce its degree, while, of course, keeping the 
free coefficient unaltered. 

Recently a more efficient variant of the Ben-Or, Goldwasser and Widger- 
son protocol was proposed by Gennaro, Rabin and Rabin [34] and requires 
O(k?n + kn? log n) bit operations per player. 

In the rest of this document we will refer to the latter protocol as to 


MUL(f (7), g(7)). 


4.2. Joint Random Sharing over Z, 


In this section we describe how to generate shares of a secret chosen jointly and 
at random in Z, by the players. 

Each player chooses a random value r; € Zg, shares it according to the 
adopted secret sharing scheme and sends the obtained shares to the remaining 
players involved in the protocol. At this point each players sums up (modulo gq) all 
the received values and sets the obtained value as his share of the jointly chosen 
random value. 

In the following we will refer to this protocol as JRS(Z,) if the players get 
additive shares and JRP(Z,) if, on the other hand, they get polynomial shares. It 
is not hard to see that the first protocol requires O(nk) bit operations per player 
while the second one requires O(kn? log n) bit operations per player. 


4.3. Joint Random Sharing of 0 in Z, 


In many protocols it is often useful to be able to generate a sharing of zero to 
re-randomize shares obtained from some earlier performed computation. The joint 
random sharing of zero protocol is pretty simple and can be described as follows. 
Each player performs a sharing of zero, according to the secret sharing scheme 
adopted, and sends the produced shares to the remaining players. Next each player 
sums up (modulo q) the received values and sets the result as his share for zero. 
As before we denote this protocol with JRSZ(Z,) if the the players get additive 
shares and with JRPZ(Z,) if, on the other hand, they get polynomial shares. The 
protocols require O(nk) and O(kn? log n) bit operations per player, respectively. 

In case one wants to get additive shares over the integers the technique is 
basically the same as that seen to produce an additive sharing over Z. It is given 
a range [—2°A..2? A] from which the players sample the shares they send to the 
other participants. We denote this protocol by JRIZ([—2?°A..2°A]) and it requires 
O(n(p + log A)) bit operations per player. 
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4.4. Computing Shares of the Inverse of a Shared Secret 


The protocol we are going to describe works only for polynomial sharings over Zg. 
Let a be an invertible element in Z. We say that an element is invertible in Z, if 
gcd(a, q) = 1. Since we are considering g a prime number, every non zero element is 
invertible in Z,. Note that for every invertible element a there exist a b € Z, such 
that ab = 1 mod q and this element is efficiently computable (using the well known 
extended Euclid’s algorithm). Now assume that a is shared among the players and 
denote with a; the share held by player P;. The following protocol, due to Bar-Ilan 
and Beaver [4], allows to compute shares of b from shares of a. The idea is the 
following. First the players run the JRP(Z,) protocol to jointly generate a shared 
random value r, then they multiply the two shared secrets a and r by means of the 
MUL(a;,17;) protocol. To conclude this phase the players reveal the shares obtained 
after the execution of the multiplication protocol and jointly reconstruct the value 
u = ar mod q. If w= 0 mod g the protocol is restarted. Otherwise wu is invertible 
modulo gq and every player can locally compute his share of a~! mod q by setting 
b; =r;-u—' mod q. We denote this protocol by INV(a;). It requires an (expected) 
number of O(k?n + kn? log n) bit operations per player. 


4.5. Joint Random Invertible Element Sharing 


This protocol is a variant of the one presented in the previous section and was 
proposed by Bar-Ilan and Beaver [4] as well. It allows a set of players to generate 
a random element with the additional property that this element is invertible 
in Z,. The players start by generating shares of two random values r and s by 
running the JRP(Z,) protocol and then jointly compute their product using the 
MUL(s;,7;) procedure. Finally they reveal the obtained results and reconstruct the 
value u = r-smodgq. If u is not zero modulo q each player sets his share of 
r as the share of the desired random invertible element (otherwise they simply 
repeat the protocol). As before this protocol, that we call JRP-INV(Z,), requires 
an (expected) number of O(k?n + kn? log n) bit operations per player. 


5. A Different Approach 


For some of the protocols that we are going to present in this article, it is more 
useful to perform modular arithmetic in a slightly different way. So far we adopted 
the standard notation by which, given two integers a, b and a positive integer g, we 
write a = 6 mod q if q divides a—b. In particular this can be interpreted as follows. 
Suppose we divide a and 6 by q, obtaining integer quotients and remainders; we 
assumed that the remainders were always positive integers between 0 and q — 1. 
This means that, denoting a = Qiq+ R; and b = Qoq+ Re one has that 0 < 
Ry, Ro < q—1. By this position a = b mod q if and only if Ry; = Ry and the 
notation a mod q denotes the remainder when a is divided by gq, i.e. the value R; 
above. 
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However there is no need to assume that the remainder has to be a positive integer. 
Here we will describe a different approach by which modular arithmetic is done 
centered around zero. We will adopt the symbol ’rem’ rather than ’mod’ as the 
operator of modular reduction to remind the reader of this. 

Let a be a real number, we denote with |a| the largest integer b such that 
b < a. Conversely we indicate with [a] the smallest integer b > a. Finally we denote 
with [a] the largest integer b < +a. We denote with trunc(a) the operator 


fa] ifa <0 
trunc(a) = { fatal aS0 


Thus trunc actually truncates a towards zero. 
Now let q be a positive integer and define Z, as the set {x € Z| —q/2< 
x < q/2}. Clearly any integer a can be written as c+ £q with c € Z, and £ € Z. 
a 


Now consider the value [4], one has that 


k 


Since 5 is an integer and |< | < 1/2 we can conclude that [Fl = £. Thus 


a 
aremq=c=a-— = q. 
q 


It is not hard to see that all the protocols described in Section 3 work in this new 
representation setting as well (basically one simply needs to rewrite them using 
the ’rem’ operator to replace the ’mod’ one). 


6. Converting among Different Secret Sharing Methods 


In the protocols we are going to describe, we will need to use all the basic algo- 
rithms described in the previous sections and to adopt all the three secret sharing 
schemes discussed so far. For this reason we will devote this section to explain 
some efficient methods to convert shares from a secret sharing scheme into shares 
of a different one. 


6.1. Converting between Additive and Polynomial Shares 

Converting from additive shares in Z, to polynomial shares in Z, is very simple. 
Let a; be the share held by player P;. We start the conversion by allowing every 
player P; to share his contribution a; by mean of a polynomial f;(z) of degree 
t <n. In particular P; chooses at random t coefficients @; and sets fi(z) = a; + 
ei G2) vem q. Finally he sends to every other player P; the value f;(j) rem q. 
Upon having received all the contributions from the other parties, player P; sets 
his polynomial share for a = }) a; rem q as f(t) = )0%_, fj(¢) rem q. 


Converting from polynomial shares in Z, to additive shares in Z, is very 
easy as well. Let a be the shared secret, A1,... An be the Lagrange interpolation 
coefficients and denote with S = {Pj,,...,Pi,,,} any subset of t+ 1 parties. Of 
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course the players in S can interpolate and reconstruct the secret as showed in 
Section 3.2. This means that, in particular, 


t+1 


a=>~ rif (is) 
j=l 


where f is the sharing polynomial. So every player in S just performs an additive 
sharing of his own contribution and sends the shares to the respective parties, 
which just add them up to obtain an additive sharing of a. 


Conversions between additive and polynomial sharings over the integers are 
done — basically — in the same way. 


6.2. Converting between Integer Shares and Z, Shares 


Converting integer shares into shares over Z, clearly requires that q/2 is bigger 
than the absolute value of the secret. If this is the case let c be an integer additively 
shared over the integers, and c; be the share held by player P;. An additive sharing 
over Z, can be easily obtained by having each player reduce his own share modulo 
q. More precisely each player P; sets c, = c; rem q. Clearly $7}, c, = c rem g. 
Converting shares over Z, into integer shares, however, is not as easy. The 
problem here is that if one simply considers the additive shares over Z, as additive 
shares over the integers, then the resulting secret may be off by some multiple of 
q with respect to the actual one. For example if the c,’s are additive shares of c 
in Z,, then one has that 57i"_, c, = c rem q. However this equation simply tells us 
that STi, c; = c+ kq where k is the quotient of 7", c; and gq (and in general 
such a quotient is not zero). 
Here we describe a method that allows to determine this quotient without revealing 
anything about the secret c. The basic idea of the proposed solution is the following. 
Assume that the shared secret is much smaller than the modulus g (one may 
assume it is at least p bits smaller, where, as usual, p is a security parameter). 
If this is the case, then one can expect the shares c; to be much larger than c. 
Consequently every player can reveal the high order bits of his share without 
compromising the secrecy of the shared value. As we will see, knowledge of these 
bits is sufficient to compute the desired quotient. 
The formal protocol is presented in Figure 1. 


Remark 2. For the sake of simplicity, we assume that (unless otherwise explicitly 
noted) all the protocols presented in this article use, as underlying primitive, an n 
out of n (additive or polynomial) sharing mechanism. This, in particular, means 
that we assume that no player can stop participating to the protocol before the 
end of the protocol itself. This may seem a very strong requirement. However we 
point out here that standard techniques (see [48] for instance) can be used to relax 
this assumption. 


With the following theorem we prove that the SQ-to-Si protocol is actually 
secure (i.e. that is correct and private). 
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SQ-to-SI Protocol 


Public Parameters: A value k such that —2*-! <c= yey ci rem q < ear 
A security parameter p and a truncation parameter t = p+ k + 2. 
Common Input: A modulus gq > 2°t#tes "+4, 

Private Input (for player P;): A share c; € Zq of the secret c. 


Player P; does as follows: 

. Reveal a; = trunc (st). 
at D3r ay 
a. 


. Publicly compute @ = | 


. The players run the protocol JRIZ(—2’q, 2°q) to produce an additive shar- 
ing of zero over the integers Denote with o; the resulting share obtained 
by Pj; 

. Ifj < |é| set the output to c; = cj —q+o; if > 0 and toc; =cj +q4+0; 
if£<0 
If j > |é| set the output to cj = c; +95. 


FIGURE 1. A protocol to convert shares over Zy into 
integer shares 





Theorem 1. Let c,,...,Cn a random additive sharing of —2*-!<c= Sar remag = 
Qk-1 Tf gq > Qetk+loen+4 then the protocol in Figure 1 securely computes additive 
shares of c over the integers. 


Proof. We divide the proof in two steps. First we prove that the protocol is correct 
and then that it is also private. 

To prove that the protocol is correct we have to show that the local outputs 
of the players are actually shares of c. Let l= | =|. Clearly c = Sv, Gi — lq 
where |c| < 2*~! by our assumption. We want to show that / is actually the same 
£ computed in the protocol. 

Let b; = c;—2'a;. Since 2’a; contains the ¢ most significant bits of ¢;, |bj| < 2°. 
Moreover we have )7¥_, b: = 3, Gi — 2° 0 ai = t+ lg — 2" yoy, a and then 
2¢ ye" as = e+ lg — ™, bj. This means that 


P| = foe 


qd qd qd 


Since @ is an integer we have that ¢ = ¢ if [S| < 1/4 and care < 1/4, that is if 


k <logq—landt+logn+2=p+k+logn+4 < logg hold. 
[=| <n. 





Moreover since c; € Zgq for all i we have that ¢= 


Now we prove that the protocol is private. We do this by showing that the 
protocol is simulatable. According to our definition (see Section 2.2), we need to 
provide a simulator S that runs an execution of the protocol together with an 
adversary A and produces for it a view that is indistinguishable with respect to 
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the one a real execution of the protocol would have produced. In the simulated sce- 
nario we assume that the simulator controls one single player (and without loss of 
generality we can assume this player is P,,). For such a player the simulator holds 
as initial value an element c/, which result from a sharing of a secret c’ 4 c (in the 
correct range). Note that the distribution of n — 1 additive shares (over Z,) of a 
secret c is indistinguishable from the distribution of n—1 additive shares of a differ- 
ent secret c’. This is because if (c1,...,¢,) is an additive sharing (over Z,) of c, an 
additive sharing of c’ can easily be obtained as (c1,...,Cn—1,C, = Cn—c+c’ rem q). 
Next for such a share c/, the simulator computes a/, = trunc +) and publishes 


this value. For steps 2, 3 and 4 the simulator simply follows the same instructions 
as the protocol. Thus, to conclude the proof, we need to show that the distribu- 
tion of the a}, produced in step 1 is statistically indistinguishable from the output 
produced when running the protocol on a different secret. We prove this by show- 
ing that the distributions of the a,’s for different shared values c are statistically 
indistinguishable. In particular we consider the probability that the a;’s take dif- 
ferent values when a different secret c is shared. Without loss of generality let us 
concentrate on the case on which c),...,C¢n—1 are random values and c, is set as 
Cn = €— ye rem q. In this case clearly C = — 30") c rem q is uniformly 
distributed over Z, and the values a; cannot depend on the secret. It remains to 
consider ay. By definition c, = an2'+b, where b, < 2°. Let us consider the quan- 
tity c = cp, —C rem q. This value has to be in the range [—2*—1..2*~ 1]. However if 
we focus on the quantity c, — C’, considered over the integers, this value may not 
be equal to c (i.e. a wrap around occurs). Thus two cases have to be considered, 
depending on whether c,, — C wraps around or not. 





First assume that c, —C wraps around. This means that c = c, —-C+q and in 
particular one has that either —2*-1 < ¢, —(C+q) < 0 or 0 < ce, —(C—q) < 2*-1. 
From the two relations above we get that c, is independent of c if |C| < qg—2*7!. 
Note that, since C' is uniformly distributed over Z,, this happens with probability 
(1 —2*-1-Ial) 

By a similar argument one can prove that, when the quantity c, — C' does 
not wrap around, if C rem 2' < 2'— 2*-! then c, gets a value that is completely 
independent from c. Since this second event happens with probability 1 — 2*—!~* 
one has that the total probability that c,, (and thus a,,) gets a value that depends 
on c is bounded by 


d 


Qk gk 

Gal (1) 
< ORE» gk+1-t 

= Qt — - 


Pr{(|C| > q— 2*-1)] + Pr[(|C rem 2¢| > 2% — 2*-1)] 


IA 


Now that we have determined which are the “bad” cases it is not too hard 
to show that the statistical difference between the distributions of the a;’s for 
different shared secrets c’s has to be smaller than 2-2*+?-t = 2-?, which by our 
assumption is negligible. 
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The bit complexity of the proposed protocol is O(kn? log n + k?n) and its 
communication complexity is O(kn). The round complexity is, clearly, O(1). Note 
that one may use this protocol also to convert from polynomial shares over Z 
to polynomial shares over Z, where q' # q, if, of course, g and q’ are sufficiently 
large with respect to the secret and the security parameter being considered. 


6.3. Computing Shares of the Binary Representation of a Secret 


In some situations is useful to have a secret shared bit by bit. Unfortunately the 
only solution we know to perform this task is not very efficient because it requires 
one to resort to general multiparty computation protocols. In a nutshell, the basic 
idea is as follows. Assume the players hold additive shares of a k bit secret 6. In 
order to obtain shares of the bits of b, each player distributes polynomial shares, 
modulo some prime q’ of the bits of his additive share. Then the players engage in 
a general multiparty computation protocol to add these bits and obtain shares of 
the bits of b. As noticed by [1] this multiparty computation can be done over Zj, 
where q’ can be rather small (say p+log n bits). The details of this construction are 
omitted here, but it is possible to prove that such a solution (we will refer to it as 
to the ADD-to-BIN protocol) requires O(kn? log q' log n+ kn? (log q')* + k?n? log n) 
bit operations per player. The communication complexity is O(k?n + nk log q) and 
the round complexity is O(log k + log n). 


6.4. Approximate Truncation 


We conclude this section by providing a protocol to perform approximate trunca- 
tions. The algorithm takes as input polynomial shares of a secret a and a parameter 
k and returns as output shares of b such that |b — a/2"| < +1. The protocol 
appears in Figure 2. 


TRUNC Protocol 


Common Input: A parameter k and a modulus q > 
Private Input (for player P;): A polynomial share a; € Zq of the secret a. 


getk+log nt+4 


Player P; does as follows: 


1. Obtain additive shares of a over the integers. (This is done by first running 
the polynomial to additive share conversion in Z, and then by applying 
the SQ-to-SI protocol on the resulting shares). Let a the additive share 
of a held by player P;. 


, 


2. Locally compute b; = trunc (+). 


3. Obtain polynomial shares of b over Z, (again using the conversion protocol 
described in previous sections). 


FiGuRE 2. A protocol for distributed approximate 
truncation 
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It is very easy to see that the protocol is both correct and private for |q| > 
p+k+logn+4 (this is the same requirement we needed for the SQ-to-SI protocol). 
The bit complexity of the algorithm is O(kn?logn + k?n). The communication 
complexity is O(kn) and the round complexity is O(1). 


7. Distributed Modular Reduction 


In this section we present an efficient protocol to compute modular reductions, 
i.e. a distributed algorithm that taking on input shares of a and p returns as out- 
put shares of a mod p. Using such an algorithm it becomes immediately possible 
to (efficiently) perform distributed modular addition and multiplication. The pro- 
posed method uses an additional modulus q whose size is roughly twice that of p 
and which is publicly known by all players (note that this provides also an upper 
bound on the size of p). 
We point out here that the modular reduction algorithm we are going to present 
it is actually an approximation one: it does not compute the actual a mod p but 
a related value a’ that is bounded by a small multiple of the modulus. 

Before presenting the actual construction we highlight here the main ideas 


underlying it. We already defined a rem p = a— [5] p. Using this fact, the problem 
of computing a rem p reduces to compute shares of [FI p. This last problem can be 


splitted in two: first we compute a distributed approximation of 1/p then, on top 
of this, we compute the shares of le) p. To compute the approximation of 1/p we 
employ the so-called Newton Iteration Method that we briefly recall in the next 
section. In Section 7.3 we will focus on how to compute a good approximation of 


7.1. Newton Iteration Method 


Newton’s method provides a powerful way to approximate the roots of an equa- 
tion. Let f(x) be a differentiable function and let r and ro a root and a first 
approximation of this root respectively. Let us consider the point on the curve of 
the function P = (ro, f(ro)). The slope of the tangent line in this point is clearly 
f' (ro). Moreover the tangent intersects the z-axis in a point having x-value ry. It 
is easy to check that the value r; is a better approximation of r than ro. From r1 
one can re-iterate the method to obtain a better approximation rz and so on. 
The equation of the tangent line in point P is given by 


y — f(ro) = f'(r0)(x — 0). 
Thus for y = 0 we obtain the iteration formula 


f(ri-1) 
faa) 


M% = Ti-1 — 
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In our case we will employ Newton’s method with the function f(z) = + — &. 
This leads to the iteration formula 
Tip 
Recall that a sequence {z;} converges linearly to w if for sufficiently large k, 
{zn41 — w}| < cl{z, — w}| where 0 < c < 1 and it converges quadratically if for 
sufficiently large k, |{zp41 — w}| < cl{z, — w}|? for some constant c. It is easy to 
verify that the iteration formula 2 converges quadratically. 





7.2. First Step: Computing Shares of an Approximation of 1/p 


Here we present a protocol to compute polynomial shares of an integer p’ such 
that p'2-*~* = 1/p+ (where |e] < (n+ 1)2~*~*** for some parameter t) starting 
from polynomial shares of 2*~! < p < 2*. As already mentioned in the previous 
section we will adopt Newton’s method using equation 2 as iteration formula. In 
particular we initialize it with the starting value 3/2; this produces a starting 
2h a3 1 


5| < 3 and then we need about log? iterations to have a ¢-bit 


approximation x’ of 2"/p. Then once this 2’ is computed we set p’ = x'2¢ which 
is an integer. The formal protocol is presented in Figure 3. 


error of 








Remark 3. Note that in the formal protocol that appears in Figure 3 we initialize 
the iteration using uo = 3-2’! rather than with up = 3/2. This has basically no 
consequences in practice because at the end of the algorithm we set p! = uj41 = wv’ 
(which is already of the correct form) rather than p! = 2'2’. 


Remark 4. The pseudo-code in Figure 3 contains a slight misuse of notation. Note 
that during the first execution of the cycle for (i.e. when i = 0) zo is a constant 
value known to all the participants. In this case, then, player P; computes his 
share of p- xo by simply multiplying by zo his share p; (see Section 4.1). On the 
other hand all the other x;’s are not publicly known by the all the other players 
and thus resorting to the multiplication protocol becomes necessary. 


Now we prove that the proposed protocol is secure. 


Theorem 2. Let p be a security parameter and q > 2°+t+H+6+lo8” where p= 
max(k,t) then for any t > 5+ log(n+1) and any p satisfying 2*-1 < p < 2* for 
some k, the protocol presented in Figure 3 securely computes shares of p' such that 











where 0 <p! < 2'*?, 
Thus s&r is an approximation of with (relative) error ait. 


Proof. We have to prove that p’ is actually an approximation of 1/p. Security 
trivially follows from the composability of the sub protocols used. 
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P-INVERT Protocol 


Public Parameters: A value k such that 2*~1 < p < 2” and an approximation 
parameter t. 

A prime q such that |q| > 2\p|. 

Private Input (for player P;): A polynomial share p; € Z, of the secret p. 


Player P; does as follows: 

1. Set (ao); = 20 =3-2°1. 

2. For i =0 to [log(t — 3 — log(n + 1)] — 1 do 
Run the protocol MUL((x;);,p ;) to produce a polynomial sharing, 
over Z,, of x; -p. Denote with z; the local output of player P;. 
Run the TRUNC(z;,k) protocol and let w; the local output 
Run the protocol MUL(w;, (ai);) to produce a polynomial sharing, 
over Z,q, of w; - (ai). Denote with W; the local output of player P;. 
Set vj = 2’! (xi); — Wj rem q. 
Run the TRUNC(v;,¢) protocol and set x;+1 as the local output. 

3. The players run the protocol JRPZ(Z,) to produce polynomial shares of 

zero. Denote with o; the share obtained by P;. 
4. Set the output to pj = (wi+1); +04 rem q. 





FIGuRE 3. A protocol for distributed computation of an 
approximation of 1/p 





First note that x9 and x; are both positive. Moreover one can write 

















wis, = 3 (2'F) — FP) 
ge (200 — Sept (2° — Se) (3) 
= 0; (2-25 + (Ga?)’) 


Thus 


and then x; > 0 for all i. 
Now, because of the local truncations, one has that 
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That can be rewritten as 
p gk\ ? 9 tid" x? ; (n+ 1) (3 a2 1) 
9k D 2p " 92t ‘ ot at ‘ 


Since p/2” < 1 we have that the above relation is strictly smaller than 
y 


Qk og; : n+1/2x; 1 
po Pope) 


Now let us see how ”big” every x; can be. Observe that x;2~' < 4 for all 7’s. 




















This is because 7441 = (Qt — SP) and since $, 241 > 0 it has to be the case 
that 2'*+ — 3? > 0 which, in turn, implies that x; < 4- 2°. 
Thus we can conclude that 
2 
gk Li+1 gk xy n+ 1 
F-Se]< pm) toes 
Now we define €9 = = — $¢ and 
5 n+1 
fe Sed 9t-3 * 


Notice that €9 < 1/2, moreover by imposing that n < 2*~°—1 one has that €; < 1/2 
and ¢; = 2? ' + 243. Thus to obtain an ¢; = 744, i = [log(t — 3 — log(n + 1))] 
iterations suffice. 

Finally note that the bound on the size of g comes from the fact that we need 
resort to the SQ-to-SI algorithm to properly deal with the shares v; and z; 














The cost of the protocol is dominated by the cost of the distributed multiplication 
protocol which has to be repeated 2[log(t — 3 — log(n + 1))] * O(log t) times. 
Thus the cost of the protocol, in terms of bit operations is roughly O(log t(k?n + 
kn? log n) bit operations per player. Its communication complexity is O(kn log t) 
and its round complexity is O(log t). 


Remark 5. The previous theorem holds for any t > 5+ log(n + 1) but in order 
for the @ most significant bits of 1/p and p'/2*+* to be the same, this parameter 
should be set bigger than + 5 + log(n + 1) 


7.3. Second Step: the Modular Reduction Protocol 


Here we describe the actual modular reduction protocol. Assume the players are 
given polynomial shares (over Z,) of three integers: the modulus p (in the range 
[2*-1_.2*]), the approximation of 1/p, p’ (in the range [0..2'*7]) and a value c in 
the range [—2”..2”]. The proposed protocol distributely computes shares of an 
integer d that is an approximation of c rem p. More precisely d = c rem p+ ip 
with |7| < (n+1)(1 + 2¥t4-*-4), 
The basic idea of the algorithm is to compute d as c — [cp’2~*~* |p. Note that in 
order to avoid wrapping arounds for the product cp’ it is important that the public 
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modulus q is (at least) w +t bits long. 
The formal protocol appears in Figure 4. 


Remark 6. Notice that the @ =~ n least significant bits of c do not influence 
the computation of the quotient. For this reason we could eliminate these bits 
from c using the truncation algorithm described in Figure 2. Denoting with c 
the “truncated” c, one can compute the required d as c — [e’p'2~*—'** |p, which 
has the advantage of requiring a public modulus q of smaller size. This solution 
however requires a slightly more complicate analysis (more parameters have to 
be considered). Thus, even though reducing the size of public modulus is of pri- 
mary importance for practical applications, in our context it may be preferable to 
describe a slightly less efficient but simpler solution. 


MOD-RED Protocol 
Public Parameters: A value k such that 2*-' < p < 2", a value w such that 
—2” <c < 2”, and an approximation parameter t such that 0 < p’ < 2't?. A 
security parameter p. 
A prime q such that |g| > 2?’ +? !os(n +) +648, 
Private Input (for player P;): A polynomial share p; € Z, of the secret modulus 
p. A polynomial share Dj € Z,q of an approximation of 1/p and a polynomial 
share c; € Z, of the value c. 


Player P; does as follows: 


. Run the protocol MUL(c;, p') Denote with zi the local output of player P;. 

. Run the TRUNC(zj, k +t) protocol and let z; the local output pf player P;. 

. Run the protocol MUL(z;,p;) and denote with W; the local output of player 
Py 

. Set the output to d; = c; — Wj. 


FIGuRE 4. A protocol for distributely compute shares 
of c rem p 





Theorem 3. Assume the players are given polynomial shares (over Z,) of three 
integers 2*-1 < p < 2%, -2¥ < ec < 2”, and0 < p! < 2*+?. The protocol in 
Figure 4 securely computes shares of an integer d such that d= c rem p+ip where 
[a] < (n+ 1)(2¥-*-*+4 4 1), given that log q > 2e+wt?log(n+1)+6+¢ 


Proof. Here we prove that the protocol is correct. Security follows from the com- 
posability of the sub-protocols used. 
First note that due to the local truncations (step 2 of the algorithm) one has that 


/ / 


cp 


cp 
DQk+t 
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As seen in previous section, however, p'2~*+) is only an approximation of 1/p. 


This means that we can rewrite the relation above as 


1 n+1 1 n+1 
o(5- SEE) -n-1sese(l+ pth) tnt 


and in particular 
c c c Cc 
<| —(nt+ la -n-1l<zx< <| +(n+Dopea tnt. 
Moreover, since —2” < c < 2”, the above relation becomes 


<| Zyl dy(gts* aT) So <| ere ool | © ecm a dB 
Which means that d = c — pz = (c rem p) + ip with |i] < (n+ 1)(2¥~*-*4 + 1). 
Finally note that the bound on the size of g comes from the fact that we need 
resort to the SQ-to-SI algorithm to use the TRUNC algorithm. 














Again the cost of the protocol is dominated by the cost of the TRUNC algorithm 
and by that of the MULT protocol. Since, this time, these protocols are run just one 
time we have that the MOD-RED protocol costs O(k?n + kn? log n) bit operations 
per player. The communication complexity is O(kn) and the round complexity is 
O(1). 


Remark 7 (Size of the parameters). 

Once we have described the algorithms to perform reductions modulo a shared 
integer, we are ready to discuss some applications that require computation with 
respect to a shared modulus. In other words we can now show how to build new 
protocols on top of those just described. 

In order to do this properly, we need to clarify how to set the parameters of the 
MOD-RED and P-INVERT algorithms to make such an on going computation possible. 
As before, assume the players are given polynomial shares (over Z,) of the integers 
2*-len < 2* and0 <p! < 2'+?, If we set 


t = [k+10 + 2log(3(n + 1))] 
v=k-+log(3(n+1))+1 


and 





logg > p + 2k36 + 6 log(n + 1), 


then starting with polynomial shares (over Z,) of an integer —2?” < c < 2”, the 
players can compute shares of an integer —2” < d < 2”, by means of the MOD-RED 
protocol. 

Moreover this means that if the players are given on input polynomial shares of 
—2” < a,b < 2”, they can compute shares of an integer —2” < d’ < 2” obtained 
as a: brem p. Thus such a d’ can later be used as input for further distributed 
computation modulo the shared p. 
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8. Exponentiation with a Shared Exponent 


In this section we describe some useful applications of the protocols described in 
the previous section. 

Our first application is a distributed version of the Square and Multiply algorithm. 
In a nutshell the Square and Multiply algorithm allows to efficiently compute 
a? mod p. In particular it requires at most 2¢ modular multiplications, where @ is 
the number of bits in the binary representation of b. The method assumes that 
the exponent is represented in binary notation and exploits the fact that 


b 7 ami) ae a 


a =a bo. 


“a 


The algorithm is presented in Figure 5 


Square and Multiply Algorithm 
.ze-1 
. For i = €—1 down to 0 do 
z<— 27 mod p 
if b; = 1, then z — z-amod p 


FIGURE 5. The basic (non distributed) Square and Mul- 
tiply algorithm to compute c = a? mod p 





Now assume that the players want to compute shares of c = a? mod p when 
a,b,p,p’ are shared secrets and p’ is the usual approximation of 1/p. Thus we 
need to build a distributed version of the Square and Multiply method discussed 
above. More specifically this means that we need to be able to efficiently “dis- 
tribute” the operations in steps 3 and 4 of the algorithm in Figure 5. Computing 
z? mod p is rather straightforward: it requires an execution of the MUL protocol 
and then an execution of the distributed modular reduction protocol MOD-RED. 
Implementing step 4 requires some thinking. 

The problem here is that we need to implement an if condition on a secret value. 
This means that the players should be able to determine the actual value of the bits 
b;’s without revealing any information about these bits. We realize this as follows. 
First note that a?' = (a —1)b; + 1; then, with this formula in mind, the step 4 in 
the Square and Multiply algorithm can be rewritten as z — z-((a—1)b; +1) mod p 
and it can be easily implemented by resorting, once again, to one execution of the 
MUL protocol followed by an execution of the MOD-RED protocol. 

The full details of the algorithm appear in Figure 6. 

As per the bit complexity of the protocol, its cost is roughly that of 3k executions of 
the multiplication protocol and 2k distributed modular reductions. This leads to a 
total cost of O(k?n+k?n? log n) bit operations per player. The total communication 
complexity is about O(nk?) and it requires O(k) rounds of communication among 
the parties. 
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Distr-Sq-Mult Protocol 
Public Parameters: A value k such that 2*~! < p,b < 2*, a value v such that 
—2” <c< 2", a security parameter p. 
A prime q of size as described in remark 7. 
Private Input (for player P;): A polynomial share p; € Z, of the secret modulus 
p. A polynomial share Dj € Z, of an approximation of 1/p, a polynomial share 
a; € Z,q of the value a and shares (b;); for the bits of b. 


Player P; does as follows: 
1. Run the protocol MUL(a; — 1 rem q, (bg);). Denote with (zx); the local 
output of player P;. 
2. Set (ce); = (ze)j +1 rem gq. 
3. For i =k—1to1do 
(a) Run the protocol MUL(a;—1 rem q, (b:);). Denote with (z;); the local 
output of player P;. 
Set (di); = (zi); +1 rem gq. 
Run the protocol MUL((ci+1);, (ci+1);)- 
Denote with (z:+:); the local output of player P;. 
Reduce 24; modulo. p_ by invoking’ the protocol 
MOD-RED((zi+i)j,P7,P})- 
Denote with (z:+; rem p); the local output of player P; 
Run the protocol MUL((zi+; rem p)j, (di);) and let (a;); be the local 
output of player P;. 
Run the protocol MOD-RED((ai);,p;,p) and set (ci); the local 
output for player P;. 


4. Output c; = (c1);. 


FIGURE 6. A distributed version of the Square and Mul- 
tiply algorithm to compute c = a? mod p 





8.1. Set Membership 


In this section we discuss a simple protocol that uses the distributed modular 
reduction algorithm as a subroutine to solve the so-called Set Membership problem. 
Assume that a set of n players wants to establish whether a shared value a belongs 
to a set of (shared) integers b),...,bm. A simple strategy to solve this problem is 
to check if there is a b; for which a = 6; mod p holds. To perform this check in 
a distributed way one may simply compute (for each b;) the value a — b; mod p, 
multiply it with a jointly generated random element and check if the obtained 
result is zero or not. 

Unfortunately, however, this solution does not quite solve the problem in our 
setting. Indeed the modular reduction protocol we have can only compute an 
approximation of the actual a — b; mod p (i.e. a value that is off by some small 
multiple i of p from the actual solution). 
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However since i is less (in absolute value) than 3n we can distributely compute 


A= ie. Ol Ka — b; — jp mod p and then check if A is zero or not. Note that 
this holds also modulo q if q is sufficiently bigger than p. 

We are not done however. The ideas described so far allow to test if a shared a is 
equivalent to a shared b; modulo a shared p in a secure way. As a consequence one 
may think of computing several A;’s as before (one for each b; to be tested) and 
then check which one is zero. This solution however would release some additional 
information (in addition to the set membership) and in particular to which b,, a 
is equal to (one could, for example, learn that a is equal to the, say, third element 
in the set). To overcome this problem we can further multiply the A;’s with each 
other and test if the resulting product is zero or not. 

The complete protocol for the set membership problem is presented in Figure 7 
and assumes that a and the 0;’s are all bounded in absolute value by 2”. 


SET-MEM Protocol 


Public Parameters: A value k such that 2*~! < p < 2*, a value vu such that 
—2” < a,b; < 2”, fori =1,...,m. A security parameter p. 

A prime q of size as described in remark 7. 

Private Input (for player P;): A polynomial share p; € Z, of the secret modulus 
p. A polynomial share Dj € Z, of an approximation of 1/p. A polynomial share 
a; € Z,q of the value a and shares (b;); of the values b;’s. 


Player P; does as follows: 
1. For i= 1 to m do 
Run the protocol MOD-RED(a; — (b;); rem q, pj, 5). 
Denote with (c:); the local output of player P;. 
. For i= 1 to m do 
(a) Set A(_3(n4i),i) = (ci)3 — 3(n + 1)p; rem gq. 
(b) For = —3(n +1) +1 to 3(n+1) do 
Run the protocol MUL(A(¢_1,i), (ci); + 2p; rem q). 
Denote with (A(¢,;)); the local output of player P;. 
. Set (B1)j = (Agm+n,n)s- 
. For i = 2 to m do 
Run the protocol MUL((Bi-1);, (A(a(n41),i))3- 
Denote with (B;); the local output of player P;. 
. Run the protocol JRP-INV to generate shares r; of a random invertible 
element r. 
. Run the protocol MUL((Bm)j,rj;) and denote with z; the share obtained 
by player P;. 
. Publish z; and using the values disclosed by the other players interpolate 
z. Output YES if z = 0 rem gq and NO otherwise. 


FIGURE 7. A distributed protocol to test if a belongs to 
the set b1,...,0m 
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The security of the protocol easily follows from the secure composability of 
the sub-protocols used. Furthermore no information about the shared inputs is 
disclosed when z is reconstructed because z is either zero or a completely random 
value. 

The protocol requires O(mn(nk? + kn? log n)) bit operations per player and O(k + 
n) rounds of communication. The communication complexity is bounded by 
O(mn?k). 


9. Generating Shared Random Primes 


In this section we show how to generate a shared prime and a shared safe prime °. 


Our approach consists, essentially, in showing how to use the protocols presented 
so far to implement a distributed version of the Miller-Rabin algorithm [42, 47] on 
a candidate random secret, jointly chosen by the players. 

We proceed step by step: first we present and discuss the basic (i.e. non distributed) 
Miller-Rabin test, then we show how to efficiently generate a shared candidate 
prime and finally we present a distributed version of the Miller-Rabin method. 


9.1. The Basic Miller-Rabin Algorithm 


We begin with a brief description of the Miller-Rabin algorithm to test if a given 
integer p is a prime (the pseudo-code appears on Figure 8). The Miller-Rabin 
test is a probabilistic algorithm that takes on input a candidate prime p and 
returns as output “yes” if it “thinks” that p is prime and “no” otherwise. If the 
algorithm answers “no”, then this answer is always correct. On the other hand if 
the algorithm’s output is “yes” this answer is correct only with probability 1/4 
(see [47] for a proof of this fact). This means that if we run the test w times — on 
some candidate integer p— and the test always outputs “yes”, then p is actually 
prime with probability 1 — (1/4). 

The algorithm is based on the following basic idea. Fermat’s Little Theorem states 
that if p is a prime and a € Z), then a?-! = 1 mod p. Thus one may think of 
using this fact the other way round as a possible way to test if a given number 
is prime. In particular one can choose a random a and test if a?~! = 1 mod p 
holds. Unfortunately this strategy does not work, because there are composites p 
(known as Carmichael numbers) for which a?~' = 1 mod p for all a € ZS. The 
Miller-Rabin test overcomes this difficulty by choosing several random a’s in Zj, 
for which a?~! is computed via repeated squarings. After each exponentiation the 
algorithm checks if the obtained power of a is a non trivial square root of 1 (i.e. 
a root of 1 that is not congruent to +1 mod p). If this is the case, then p has to 
be a composite. The quality of the test depends on a theorem that Rabin proved 
in [47]. The reader is referred to that paper for further details. 





3Recall that a prime p is said to be safe if it is of the form p = 2p’ +1 where p’ is a prime number 
itself. Safe primes are very useful objects in cryptography. 
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Miller-Rabin Primality Test 

. Let p—1=2°m (m odd). 
. Choose a random integer a such that 1<a<p-1. 
. Compute b = a™ mod p. 
. ifb = 1 mod p, then 

Answer yes and quit. 
. For i=0 to €—1do 

if b = —1 mod p, then 

Answer yes and quit. 

else b = b? mod p. 

. Answer no. 


FIGURE 8. The basic (non distributed) Miller-Rabin pri- 
mality test for an odd integer p 





9.2. Generation of a Shared Candidate Prime 

In this section we will discuss a very elegant method, originally proposed by Boneh 
and Franklin [7], to efficiently generate a shared candidate prime of some size k. 
Every participant, but the first one, chooses a random (k — logn — 1)-bit integer 
p; such that p; = 0 mod 4. The first player, on the other hand, chooses a random 
(k —logn —1)-bit integer p, such that p| = 3 mod 4 and sets p; = 2*-1 + pi. 

In this way the players have an additive sharing (over the integers) of the candidate 
p= ><; pi, which is clearly a k bit integer. 

We point out that the original Boneh-Franklin technique does not require p = 
3 mod 4 as we are doing here. However, as we will see in Section 9.3, this restriction 
allows for a more efficient variant of the Miller-Rabin test. 

Once the candidate p is shared the players engage in a secure distributed protocol 
to determine if p is divisible by any prime less than some (publicly known) bound 
B. This trial division protocol can be easily implemented as described in Figure 9 


Remark 8. Observe that the method described in Figure 9 does not work correctly 
if e is smaller than n. This is because in this case Z, is too small and there are 
not enough points to do a polynomial secret sharing among n players. 

For such small e’s one must resort to an extension field F, that contains at least 
n+ 1 points. See [7] for more details about this. 


Since there are (approximately) B/log B primes in the interval {1,...,B} the 
proposed protocols costs (ce 3(n? log B + n(log B)*)) in terms of bit operations. 
Furthermore it requires O(1) rounds and its bit complexity is O( Bk). 





9.3. Distributed Miller-Rabin Primality Test 

Now we are ready to describe a distributed version of the Miller-Rabin algorithm. 
First notice that if p is of the form p = 3 mod 4 it can be written as p = 2w +1 
where w is odd (all the primes of this form are known as Blum primes). For such 
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Trial Division Protocol 


Public Parameters: A bound B on the small prime divisors to test. 

Private Input (for player P;): An additive share p;, over the integers, of a secret 
Dp. 

Player P; does as follows: 

For each prime e smaller than B do 


. Re-share p; rem e using polynomial sharing over Ze. 
. Sum all the received shares to get a share Dj of p rem e over Ze. 


. Run the protocol JRP-INV (over Z.) to generate shares rj; of a random 
invertible element r. 

. Run the protocol MUL(r;,p/;) (over Ze) and denote with z; the local output 
of player P;. 

. Publish z; and using the value disclosed by the other players interpolate 
z. If z=0 rem e, then e divides p. 


FIGuRE 9. A simple protocol to check if a shared p is 
divisible by all small primes less than some bound B 





integers the Miller-Rabin test reduces to choosing a random base a and checking 
if aP-))/2 = +1 mod p. 

A technical problem arises from the fact that, since the players don’t know the 
value of p, they cannot choose a uniformly and at random in Z,. To overcome this 
difficulty we allow the players to choose a in a large enough interval (say {0,1}?* 
where p < 2"). The intuition underlying this solution is that if the interval where 
a is sampled is sufficiently larger than p, then a mod p has a distribution that is 
statistically close to uniform. 

The detailed protocol appears in Figure 10. 

The cost of the Distributed Miller-Rabin test is dominated by the cost of the 
ADD-To-BIN protocol and the cost of 7 executions of the Distr-Sq-Mult protocol. 
This leads to O(kn? log ny+n7ky?+n7k? log n+1(nk?+n7k? log n)) bit operations 
per player, where 7 is the size of the small prime used in the ADD-To-BIN conversion 
protocol. 

Its communication complexity is O(k?n7) and it requires O(k + log n) rounds. 





9.4. Generation of Shared Random Safe Primes 


We conclude this part by presenting a method to distributely generate a shared 
(random) safe prime. It should be pointed out here, that not very much has been 
proved about the density of these primes. In particular we don’t even know if there 
are infinitely many safe primes. However it is widely conjectured that safe primes 
are sufficiently “dense” and this conjecture is supported by empirical evidence. 

In order to generate such primes one can use the following protocol (which is a 
distributed variant of the single-player, safe-prime generation procedure, proposed 
by Cramer and Shoup in [14]). 
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Distributed Miller-Rabin Protocol 


Public Parameters: A parameter k such that p < 2". 
An approximation parameter 7. The usual prime gq. 
Private Input (for player P;): An additive share p;, over the integers, of a can- 
didate prime p (obtained as described in Section 9.2). 
Player P; does as follows: 
. If 7 > 2 set b; = p;/2 
. else set b; = (p; — 1)/2. 
. Run the ADD-To-BIN protocol to obtain shares of the bits of b. Denote 
with ((b1);,...,(b%);) the local output for player P;. 
. Convert the additive shares of p into polynomial shares over Z, (using the 
methods described in Section 6). 
Denote with #; the local output for player P;. 
. Run the P-INVERT protocol to produce shares of an approximation of 1/p 
and denote with pj the local share held by player P;. 
. Repeat 7 times (in parallel). 
(a) Choose rj; uniformly and at random in {0,1}?* (this implicitly de- 
fines r = 50,1; over the integers). 
Convert the additive shares (of r) into polynomial shares over Z, 
and let 7; the local output of player P;. 
Run the MOD-RED protocol on local input #;, 6; and pj. We denote 
with a; the local output produced by the protocol. 
Run the protocol Distr-Sq-Mult on input 
(aj, ((b1);,-+-,(be)3), 63, p5). Let z; be the local output for 
player P;. 
Run the protocol SET-MEM on input (z;, {—1, 1}, pj, 4). If it outputs 
NO, output NO. 
7. Output YES. 


FIGURE 10. A distributed version of the Miller-Rabin 
primality test. 





First the players choose a random candidate p’ as described in Section 9.2. Then 
player P, sets p; = 2p, + 1 as his additive share for the candidate safe prime p. 
The remaining players set p; = 2p;. 

The players run the Trial Division protocol on both p and p’. If this step fails 
they start over with a new candidate. 

If, on the contrary, the trial division test is successfully passed, the players run the 
Distributed Miller-Rabin protocol on input p’ with approximation parameter T. 
Then, if the test indicates that p’ is prime the players run the Distributed Miller- 
Rabin protocol on input p with approximation parameter Tr. If the test succeeds 
the players accept p as a safe prime. 


30 Dario Catalano 


10. Efficient Generation of Shared RSA Keys 


Using the algorithms described so far, we can easily generate (in a distributed 
way) a composite integer obtained as the product of two (standard or of some 
special form) primes. In other words we can use the protocols described in the 
previous sections to efficiently generate a shared RSA modulus for which none of 
the players knows the factorization. 

In many situations, however, the parties are required to efficiently generate 
not only the modulus but also shares of the private exponent d. Of course one 
can still combine the previously described methods to obtain a protocol for this 
task as well. In the following, however, we decided to discuss a completely differ- 
ent approach to solve the problem. Specifically we describe a simple and efficient 
algorithm to compute polynomial shares of the private exponent d, starting from a 
public exponent e and shares of ¢(V). More generally this algorithm can be used 
to compute the inverse of a public value modulo a shared integer (assuming, of 
course, that the greatest common divisor of the two integers is 1). In this sense it 
can be seen as a “dual” algorithm with respect to that discussed in Section 3 by 
Bar-Ilan and Beaver [4]. 


It must be noticed that an algorithm for the same problem was already 
proposed by Boneh and Franklin in [7]. The protocol we are going to present, 
however, improves on some of the features of the Boneh Franklin solution (see [11] 
for a discussion about this). 


Remark 9. Note that in presenting the inversion protocol we go back to the stan- 
dard notations for modular arithmetic (see Section 5). In particular we go back to 
the symbol ’mod’ to denote the operator for modular reduction. 


11. Computing Inverses over a Shared Modulus 


11.1. The Basic Idea 


We start by presenting a very simple protocol which, although doesn’t quite solve 
our problem, is rather useful for illustrating the ideas underlying the complete 
solution. 

For this protocol, we assume that the players hold additive shares (over the 
integers) of some multiple of the secret modulus ¢. This means that each player P; 
has a share a; such that )7, a; = Ad, where A is some random integer, much larger 
than ¢ (say, of order O(N)). The protocol goes as follows. Each player P; chooses 
a “randomizing integer” r; Er [0..N°], and publishes the value y; = a;+rje. Using 
this public data all the players compute 7 = }°, ¥;. Clearly, 


1= > %= dou + re = Ab+ Re 


(where R = )>,1r;). If one assumes that GC'D(y, e) = 1, then there exist a,b such 
that ay + be = 1 and thus d=aR+b=e7! mod ¢. At this point additive shares 
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of d can be easily obtained by having player P; set d, = ar; + b, and the other 
players set dj = ar;. Obviously d = 50; di. 

Note that the only information leaked by the protocol is the integer y = 
Aé + Re. However it is possible to prove (and we do that for the general protocol 
in the next section) that the distribution of y is (almost) independent of ¢. More 
precisely, it can be shown that, when » and R follow the probability distribution 
described above, then the distributions {y = A¢ + Re} and {7 = AN + Re} are 
statistically close. 

The above protocol, however, is not secure when it is used more than once 
with the same X and different e’s. Indeed, for each input e, the protocol leaks the 
value A@ mod e, and so after sufficiently many runs with different e’s we can then 
recover the integer Ad via the Chinese Remainder Theorem (see for example [40] 
for details about this theorem). To overcome this, it is necessary to use a” fresh” A 
for each input e. In the next section we show how to do this, and at the same time 
get a t-out-of-n threshold solution (but still in the “honest but curious” model). 

Note that, for the case of RSA key generation, having a protocol that is secure 
only if used once can be perfectly fine. After all, once N is computed, only one 
inverse modulo ¢(V) has to be computed to obtain shares of the private exponent. 
For the sake of completeness, however, we prefer to present here the full protocol 
(i.e. the one secure even when used more than once with the same secret $(N)). 


11.2. The Full Protocol 


The protocol in this section achieves a t-out-of-n sharing. However the most 
important difference between this solution and the one given in the previous section 
is that all the secrets are shared via polynomials over the integers (rather than 
sums), and the multiple \ is chosen afresh with each new execution. The rest of 
the protocol is similar to the basic case. The protocol is described in detail in 
Figure 11. On a high-level description, it goes as follows: 


e Each player starts by holding as input a share of the secret modulus ¢ (mul- 
tiplied by a factor of L = n! for technical reasons, as discussed in 3.4), via a 
t-degree polynomial f(z) with free term L¢. 

e In the first round of the protocol, the players jointly generate two random 
t-degree polynomials g(z) and A(z) with free terms LA and LR, respectively, 
and a random 2¢t-degree polynomial p(z) with free term 0. 

e Inthe second round they reconstruct the 2t-degree polynomial F'(z)=f(z)g(z) 
+e-h(z) + p(z) and recover its free term y = F(0) = L?A¢ + LRe. 

e Finally, they use the GCD algorithm to (publicly) compute a,b such that 
ay + be = 1 and set d = aLR+ 0b =e! mod ¢. To conclude the protocol, 
each player P; computes its share of d by setting d; = ah(i) + b. 





Theorem 4. [f all the players carry out the prescribed protocol and n > 2t, then 
the protocol in Figure 11 is a secure Modular Inversion Protocol according to the 
Definition given in Section 2.2. 


32 Dario Catalano 


Inversion Protocol 


Private inputs: Sharing of L¢ using a t-degree polynomial over the integers. 
Player P; has private input f; = f(i), where f(z) = Lé+aizt+...+ azz", 
and Vj,a; € [-L?N..L?N]. 

Public input: prime number e > n, an approximate bound N on ¢. 





[Round 1] Each player P; does the following: 
1. Choose A; Er [0..N?] and bi1,..., bi, €rx [—L?N?..L? N°). 
Choose r; ER [0..N3] and Cij1,.--,Cit ER [—L?N*..L?.N“). 
Choose pi,1,---; Pi,2t ER [—L?N°..L? N°). 
2. Set gi(z) = DAitbiizt... +b: 22", hi(z) = Lritcazt+...+ci2°, and 
pilz)=O+ piizt...+ itz”. 
3. Send to each player P; the values gi(j), hi(J), pi(j), computed over the 
integers. 





[Round 2] Each player P; does the following: 


1. Set 95 = D721 919), hy = Leja, ha(9), and py = j=, pil). 
(These are its shares of the polynomials g(z) = >>, g:(z), h(z) = 
dai hi(z), and p(z) = D7; pi(2)-) 
2. Broadcast the value F; = fjg; + eh; + pj 


[Output] Each player P; does the following: 


. From the broadcast values interpolate the 2t-degree polynomial F(z) = 
f(z)g(z) + e- A(z) + p(2). 

. Using the GCD algorithm, find a,b such that aF(0) + be = 1. If no such 
a, b exist, go to Round 1. 

. The inverse of e is d = ah(0)+0. Privately output the share of the inverse, 
d; = ah(i) +b. 


FicurRE 11. A protocol to compute inverses over a 
shared modulus 





Sketch of Proof In this proof we assume that N — ¢ = O(VN) (which is true 
for the case we are interested in, where N is an RSA modulus and ¢ = ¢(N)). In 
the more general case where we can bound N — ¢ with O(N), the bounds in the 
proof have to be adjusted slightly. 


INITIAL INPUTS. First we show that the distribution of t shares of the secret ¢ 
with polynomial f(z) is statistically indistinguishable from the distribution of t 
shares that result from sharing the value N via the polynomial f(z). Intuitively, 
this allows us to show that t players have no information about the shared secret 
o(N). 

We prove this fact by showing that, with very high probability, there is a 
sharing of N with a polynomial f , having integer coefficients in the same range as 
f, such that f(i) = f(é) for i=1,...,t. Let h(z) be a t-degree polynomial such 
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that h(0) = (¢— N)L and h(1) =... = h(t) = 0. Formally this means that, 
t : 
. Za z-j 
Wz)=>oa@) JT] —4=1¢-N) J] 
i =n —j 
i=0 jAi,j=0,...,¢ Fal e8st 


and the coefficient of z’ is 
Hjen(-J) 


L(¢-N) cs 
BC({I,...,t},|Bl=i Tei) 


Since L = n! the value above is an integer. Furthermore it can be bounded -— 
absolute value — by 


Suey) s6—Nyu({) < SAME (6 — nytt < 3°VN. 


BET th Bis \(¢— a)! 


The desired polynomial is then f(z) = f(z) — A(z) and clearly f(0) = LN. 
Moreover the coefficient of this polynomial are integers in the range [—L?N — 
3L°V/N..L?N +3L?V/N], thus the probability that the coefficients are outside the 


legal range is 
6L2VN t 
Se 
2(L?2N + 3L?V/N) VN 
which is negligible. 


CORRECTNESS. It is easy to see that the protocol is correct. As a matter of fact, 
since all players are honest, the interpolation at step 2 of the last round, will 
give as the unique polynomial F(z) a polynomial with integer coefficients. Thus 
F(0) = L?\¢+ LRe is an integer and we can compute its GCD with respect to e. 
If e does not divide ¢, the probability that GC D(e, F(0)) = 1 is roughly 1/e (ie. 
actually this is the probability that e divides .). 

Thus, for sufficiently big e, it is very unlikely that the protocol has to be 
repeated more than once. Once we obtain aF'(0) + be = 1, it can be re-written as 


a(L?\¢ + LRe) + be = 1. 


That becomes (aLR + b)e = 1 mod ¢ when reduced mod ¢. This means that we 
have d = aLR+b=e~! mod ¢. Thus the t-degree polynomial ag(z)+ interpolates 
to the correct value d and the shares d; correctly lie on such polynomial. Notice 
that in order to interpolate F(z) we need the shares of at least 2¢ + 1 players. 





SIMULATION OF THE INVERSION PROTOCOL. Without loss of generality assume 
that the simulator controls players P.i1,...,P,. For these players it holds initial 
values Fe which comes from a sharing of N (instead of ¢, as discussed before). 
For Round 1 the simulator simply follows the same instructions as the pro- 
tocol. This produces shared polynomials hz ), g(z) and f(z) and shared values 
\ = 9(0) and R = h(0). Clearly \ and R follow the same distribution as A, R. 
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Moreover notice that, using an argument very similar to the one used for the shar- 
ing of the initial values, it is possible to prove that the adversary has no information 
about \ and R. 

During Round 2 the simulator publishes the values F(i) = f(i)g(é) + eh(i) + 
p(i) (for i =t+1,...,n). Because the polynomials p(z) and f(z) have coefficients 
which are much larger than f(z)g(z) and f(z)g(z), both polynomials F(z) and 
F(z) follow a distribution which is statistically close to p(z), except for the free 
term. 

Indeed the 2t-degree polynomial F(z) interpolating those values has free term 
equal to L?\N + LRe (while in the real execution it interpolates to L?A¢ + LRe.) 
This is the only difference between the simulated and the real execution. 

It is then sufficient to prove that the distributions of these two values are 
statistically close. We do that with the following lemma. 














11.3. A Fundamental Lemma 

Let X= A, +...+An where each A; is an integer chosen uniformly at random in 
the interval [0..N?]. Let us denote with >, [N?] the probability distribution of A 
(i.e. the sum of n independent random variables uniformly distributed in [0..N?]. 
Similarly let R be distributed according to )>,,[N*]. Finally let N be a bound on 
@ (here too for simplicity we assume N — ¢ = O(VN)) and e a prime number, 
relatively prime with ¢. We assume that e is at most O(N). 


Lemma 1. Let , A distributed according to >, [N?]. Let R, R distributed according 
o >>, [N?]. Consider the random variables X¢ = 46 + Re and Xn = AN + Re. 
Then X¢ and Xyn are statistically indistinguishable, namely 


s |Prob[X4 = x] — Prob|Xy =a]| < N-° 


for some constant c > 0. 


Remark 10. The proof of this lemma is quite technical and it is just sketched 
in these notes. The interested reader is referred to the full version of [11] for a 
complete and detailed proof. 


Sketch of Proof We begin the proof by proving the following fact. 


Proposition 1. Let x,y be two integers such that GCD(x,y) = 1 and A,B two 
integers such that A< B, x,y < A and B> Ax. Then every integer in the closed 
interval [cy —x—y+1..Ar+ By-—xy+xa+y-—1] can be written as ax + by where 
a € [(0..A] and b € [0..B). 


Proof. (Proposition 1.) It is a well known fact from the theory of integer program- 
ming that any integer larger than ry—x— y can be written as ax+ by where a and 
b are non-negative integers (this is a special instance of the Frobenius problem, 
see [50] for example). 
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Clearly if z = ax + by with a € [0..A],b € [0..B], then z € [(0..Ax + By]. We 
will call an integer z € [0..Ax + By] reachable if can be written as z = ax + by 
with a € [0..A] and 6 € [0..B]. 

Note that the interval [0..Az+ By] is symmetric. Le. if z € [0../Ax+ By) /2] is 
reachable, then z’ = Ax + By — z is also reachable. Thus to prove the Proposition 
it will be sufficient to prove that any z € [xy — x — y + 1..By] is reachable (since 
By > (Az + By)/2). 

Fix z € [ey — a2 —y+1..By]. Consider the equation with unknown a 

z—ax =0mod y 
since GCD(x, y) = 1 there exists an unique solution a = zx~' mod y. Notice that 
0<a<y<A. Then z— az = by and b < B (since z < By). 

To prove that b > 0 let us consider 


EN ie PO eh a 
¥y y y y 
Note that the quantity (1/y) — 1 is strictly greater than —1, thus, being b an 
integer, b > 0. 
This completes the proof. 














Consider now the sets 
L={\o+ Re|X€ [0..nN?], RE [0..nN*]} 


and 





L={AN + Re|X€ [0.nN?], RE [0..nN3}}. 
A consequence of Proposition 1 is that we can bound the intersection of ZL and L 
as the interval [6..A] where 6 = Ne—e+1 and A = n(N?2¢+ N%e)—de+¢+e-1. 
It is very easy to see (by Chernoff’s bounds) that the probability that X4 
or Xy fall outside the interval [6..A] is negligible since both bounds are very far 
away from the means of Xg and Xj. 
Let € be a negligible quantity upper bounding all the following probabilities: 
Probl X4 < 6], ProblX4 > A], Prob|Xy < 4], ProblXy > A]. Then we have that 
A 
S- |Prob|X¢ = x] — ProblXyn = a]| < 4e+ S- |ProblX4 = x] — Prob|Xy = «| 
x Ra8 





so we can focus on the last term. 
Let x € [6..A]. Given a pair A, R such that x = Ad+ Re we present a mapping 
that produces A, R such that s = AN + Re. That is 


Ad — AN = (R- Re. 


Since GCD(N,e) = 1, for any given ) there exists a unique \ € [X..\+e—1] such 
that Ad — AN isa multiple of e. Once fixed this \ one can then solve for R. 

We are not done however. We need to prove that the probability weight of 
the pair Mi Ris very close to that of the pair A, R. This is true because the points 
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A, \and R, R “close enough” relatively to the size of the interval they were chosen 
from. Indeed 

















eA e 1 
< aan 
nN2 ~ nN2~— nN 
also 
A — AN A- —WN 
R— Ay — DOAN _|A-No , MG—N) 
e€ e€ 
2 
< pee <nN2VN. 
e€ 
So . 
RA 
nN? ~— JN 











which again is negligible. 





Remark 11 (Size of shares). Note that the shares d; of d= e~' mod ¢ have order 
O(N°). However, the shares do not have to be this large. We chose these bounds 
to make the presentation and the proof simpler. It is possible to improve (a lot) 
on those bounds as discussed in [11] 
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Multiparty Computation, an Introduction 


Ronald Cramer and Ivan Damgard 


1. Introduction 


These lecture notes introduce the notion of secure multiparty computation. We 
introduce some concepts necessary to define what it means for a multiparty proto- 
col to be secure, and survey some known general results that describe when secure 
multiparty computation is possible. We then look at some general techniques for 
building secure multiparty protocols, including protocols for commitment and ver- 
ifiable secret sharing, and we show how these techniques together imply general 
secure multiparty computation. 

Our goal with these notes is to convey an understanding of some basic ideas 
and concepts from this field, rather than to give a fully formal account of all 
proofs and details. We hope the notes will be accessible to most graduate students 
in computer science and mathematics with an interest in cryptography. 


2. What is Multiparty Computation? 


2.1. The MPC and VSS Problems 


Secure multi-party computation (MPC) can be defined as the problem of n play- 
ers to compute an agreed function of their inputs in a secure way, where se- 
curity means guaranteeing the correctness of the output as well as the privacy 
of the players’ inputs, even when some players cheat. Concretely, we assume 
we have inputs 21,...,%,, where player 7 knows 2;, and we want to compute 
f(@1,---,2n) = (Y1,---,Yn) such that player i is guaranteed to learn y;, but can 
get nothing more than that. 

As a toy example we may consider Yao’s millionaire’s problem: two million- 
aires meet in the street and want to find out who is richer. Can they do this without 
having to reveal how many millions they each own? The function computed in this 
case is a simple comparison between two integers. If the result is that the first mil- 
lionaire is richer, then he knows that the other guy has fewer millions than him, 
but this should be all the information he learns about the other guy’s fortune. 
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Another example is a voting scheme: here all players have an integer as input, des- 
ignating the candidate they vote for, and the goal is to compute how many votes 
each candidate has received. We want to make sure that the correct result of the 
vote, but only this result, is made public. In these examples all players learn the 
same result, i.e, yy = +--+: = Yn, but it can also be useful to have different results for 
different players. Consider for example the case of a blind signature scheme, which 
is useful in electronic cash systems. We can think of this as a two-party secure 
computation where the signer enters his private signing key sk as input, the user 
enters a message m to be signed, and the function f(sk,m) = (y1,y2), where y1 
is for the signer and is empty, and where yz is for the user and the signature on 
m. Again, security means exactly what we want: the user gets the signature and 
nothing else, while the signer learns nothing new. 

It is clear that if we can compute any function securely, we have a very 
powerful tool. However, some protocol problems require even more general ways 
of thinking. A secure payment system, for instance, cannot naturally be formulated 
as secure computation of a single function: what we want here is to continuously 
keep track of how much money each player has available and avoid cases where 
for instance people spend more money than they have. Such a system should 
behave like a secure general-purpose computer: it can receive inputs from the 
players at several points in time and each time it will produce results for each 
player computed in a specified way from the current inputs and from previously 
stored values. Therefore, the definition we give later for security of protocols, 
will be for this more general type, namely a variant of the Universally Composable 
security definition of Canetti. Another remark is that although the general protocol 
constructions we give are phrased as solutions to the basic MPC problem, they 
can in fact also handle the more general type of problem. 

A key tool for secure MPC, interesting in its own right, is verifiable secret 
sharing (VSS): a dealer distributes a secret value s among the players, where the 
dealer and/or some of the players may be cheating. It is guaranteed that if the 
dealer is honest, then the cheaters obtain no information about s, and all honest 
players are later able to reconstruct s, even against the actions of cheating players. 
Even if the dealer cheats, a unique such value s will be determined already at 
distribution time, and again this value is reconstructable even against the actions 
of the cheaters. 


2.2. Adversaries and their Powers 


It is common to model cheating by considering an adversary who may corrupt 
some subset of the players. For concreteness, one may think of the adversary as 
a hacker who attempts to break into the players’ computers. When a player is 
corrupted, the adversary gets all the data held by this player, including complete 
information on all actions and messages the player has received in the protocol so 
far. This may seem to be rather generous to the adversary, for example one might 
claim that the adversary will not learn that much, if the protocol instructs players 
to delete sensitive information when it is no longer needed. However, first other 
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players cannot check that such information really is deleted, and second even if a 
player has every intention of deleting for example a key that is outdated, it may be 
quite difficult to ensure that the information really is gone and cannot be retrieved 
if the adversary breaks into this player’s computer. Hence the standard definition 
of corruption gives the entire history of a corrupted player to the adversary. 

One can distinguish between passive and active corruption. Passive corrup- 
tion means that the adversary obtains the complete information held by the cor- 
rupted players, but the players still execute the protocol correctly. Active corrup- 
tion means that the adversary takes full control of the corrupted players. 

It is (at least initially) unknown to the honest players which subset of players 
is corrupted. However, no protocol can be secure if any subset can be corrupted. 
For instance, we cannot even define security in a meaningful way if all players 
are corrupt. We therefore need a way to specify some limitation on the subsets 
the adversary can corrupt. For this, we define an adversary structure A, which is 
simply a family of subsets of the players. And we define an A-adversary to be an 
adversary that can only corrupt a subset of the players if that subset is in A. The 
adversary structure could for instance consist of all subsets with cardinality less 
than some threshold value t. In order for this to make sense, we must require for 
any adversary structure that if A € A and BC A, then B € A. The intuition is 
that if the adversary is powerful enough to corrupt subset A, then it is reasonable 
to assume that he can also corrupt any subset of A. 

Both passive and active adversaries may be static, meaning that the set of 
corrupted players is chosen once and for all before the protocol starts, or adaptive 
meaning that the adversary can at any time during the protocol choose to corrupt 
a new player based on all the information he has at the time, as long as the total 
corrupted set is in A. 


2.3. Models of Communication 


Two basic models of communication have been considered in the literature. In 
the cryptographic model, the adversary is assumed to have access to all messages 
sent, however, he cannot modify messages exchanged between honest players. This 
means that security can only be guaranteed in a cryptographic sense, i.e. assuming 
that the adversary cannot solve some computational problem. In the information- 
theoretic (abbreviated i.t., sometimes also called secure channels) model, it is as- 
sumed that the players can communicate over pairwise secure channels, in other 
words, the adversary gets no information at all about messages exchanged be- 
tween honest players. Security can then be guaranteed even when the adversary 
has unbounded computing power. 

For active adversaries, there is a further problem with broadcasting, namely 
if a protocol requires a player to broadcast a message to everyone, it does not 
suffice to just ask him to send the same message to all players. If he is corrupt, he 
may say different things to different players, and it may not be clear to the honest 
players if he did this or not (it is certainly not clear in the i.t. scenario). One 
therefore in general has to make a distinction between the case where a broadcast 
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channel is given for free as a part of the model, or whether such a channel has to 
be simulated by a subprotocol. We return to this issue in more detail later. 

We assume throughout that communication is synchronous, i.e., processors 
have clocks that are to some extent synchronized, and when a message is sent, 
it will arrive before some time bound. In more detail, we assume that a protocol 
proceeds in rounds: in each round, each player may send a message to each other 
player, and all messages are delivered before the next round begins. We assume 
that in each round, the adversary first sees all messages sent by honest players 
to corrupt players (or in the cryptographic scenario, all messages sent). If he is 
adaptive, he may decide to corrupt some honest players at this point. And only 
then does he have to decide which messages he will send on behalf of the corrupted 
players. This fact that the adversary gets to see what honest players say before 
having to act himself is sometimes referred to as a rushing adversary. 

In an asynchronous model of communication where message delivery or 
bounds on transit time is not guaranteed, it is still possible to solve most of the 
problems we consider here. However, we stick to synchronous communication — for 
simplicity, but also because problems can only be solved in a strictly weaker sense 
using asynchronous communication. Note, for instance, that if messages are not 
necessarily delivered, we cannot demand that a protocol generates any output. 


2.4. Definition of Security 


2.4.1. How to not do it. Defining security of MPC protocols is not easy, because 
the problem is so general. A good definition must automatically lead to a definition, 
for instance, of secure electronic voting because this is a special case of MPC. The 
classical approach to such definitions is to write down a list of requirements: the 
inputs must be kept secret, the result must be correct, etc. However, apart from 
the fact that it may be hard enough technically to formalize such requirements, it 
can be very difficult to be sure that the list is complete. For instance, in electronic 
voting, we would clearly be unhappy about a solution that allowed a cheating 
voter to vote in a way that relates in a particular way to an honest player’s vote. 
Suppose, for instance, that the vote is a yes/no vote. Then we do not want player 
P, to be able to behave such that his vote is always the opposite of honest player 
P,’s vote. Yet a protocol with such a defect may well satisfy the demand that 
all inputs of honest players are kept private, and that all submitted votes of the 
right form are indeed counted. Namely, it may be that a corrupt P; does not know 
how he votes, he just modifies P,’s vote in some clever way and submits it as his 
own. So maybe we should demand that all players in a multiparty computation 
know which input values they contribute? Probably yes, but can we then be sure 
that there are no more requirements we should make in order to capture security 
properly? 


2.4.2. The Ideal vs. Real World Approach. To get around this seemingly endless 
series of problems, we will take a completely different approach: in addition to the 
real world where the actual protocol and attacks on it take place, we will define 
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an ideal world which is basically a specification of what we would like the protocol 
to do. The idea is then to say that a protocol is good if what it produces cannot 
be distinguished from what we could get in the ideal scenario. 

To be a little more precise, we will in the ideal world assume that we have 
access to an uncorruptible computer, a so called Ideal Functionality F’. All players 
can privately send inputs to and receive outputs from F. F' is programmed to 
execute a certain number of commands, and will, since it is uncorruptible, always 
execute them correctly according its (public) specification, without leaking any 
information other than the outputs it is supposed to send to the players. A bit 
more precisely, the interface of F' is as follows: F has an input and an output 
port for every player. Furthermore, it has two special, so called corrupt input and 
output ports, used for communication with the adversary. In every round, F' reads 
inputs from its input ports, and returns results on the output ports. The general 
rule is that whenever a player P; is corrupted, F' stops using the 7’th input/output 
ports and the adversary then communicates on behalf of P; over the corrupted 
input/output ports. 

In the following, we will sometimes talk about a corrupted P; communicating 
with F’, to make the text easier to understand, but this should be taken to mean 
that the adversary communicates on behalf of P; as we just described. 

The goal of a protocol z is to create, without help from trusted parties, and 
in presence of some adversary, a situation “equivalent” to the case where we have 
F available. If this is the case, we say that 7 securely realizes F’. For instance, the 
goal of computing a function securely can be specified by an ideal functionality 
that receives inputs from the players, evaluates the function and returns results to 
the players. But in fact, any cryptographic task, such as commitment schemes or 
payments systems can be naturally modelled by an ideal functionality. 

In order to give a precise definition, we need to say exactly what we mean by 
the protocol being “equivalent” to F’. Let us reason a little about this. A couple 
of things are immediately clear: when F is used, corrupting some player P; means 
you see the inputs and outputs of that player — but you will learn nothing else. 
An active attack can change the inputs that P; uses, but can influence the results 
computed in no other way — F always returns results to players that are correctly 
computed based on the inputs it received. So clearly, a protocol that securely 
realizes F' must satisfy something similar. 

But more is true: we want that protocol and functionality are equivalent, 
no matter in which context the protocol is used. And we have to realize that 
this context contains more than just the adversary. It also consists, for instance, 
of human users or computer systems that supply inputs to the protocol. Or if 
the protocol is used as a subroutine in a bigger system, that system is certainly 
part of the environment. So in general, we can think of the environment as an 
entity that chooses inputs that players will use in the protocol and receives the 
results they obtain. We will define equivalence to mean that the entire environment 
cannot tell any essential difference between using the protocol and using the ideal 
functionality. 
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Towards formalizing this, an important observation is that the adversary is 
not really an entity separate from the environment, he is actually an integrated 
part of it. Consider for instance the case where the protocol is used as a subroutine 
in a higher level protocol. In such a case, the honest players may choose their inputs 
as a result of what they experience in the higher level protocol. But this higher 
level protocol may also be attacked by the adversary, and clearly this may give 
him some influence on the inputs that are chosen. In other words, the choice of 
inputs at some point in time may be a result of earlier adversarial activity. A 
second observation relates to the results that honest players compute. Again, if 
we think of the situation where our protocol is used as a subroutine in a bigger 
construction, it is clear that the result an honest player obtains may be used in 
the bigger construction, and may affect his behavior later. As a result of this, the 
adversary may be able to deduce information about these results. In other words, 
adversarial activity now may be a function of results computed by the protocol 
earlier. 


2.4.3. The Definition: Universal Composability. The definition we give here is a 
variant of the universally composable (UC) security definition given by Canetti in 
[8]. This definition builds on several earlier works (see e.g. [1, 24, 6]). The variant 
is due to Nielsen [25] and adapts the UC definition to the synchronous model 
of communication. We generalize it slightly here to cover both the i.t. and the 
cryptographic scenario. 

We now go to the actual definition of the model: 

The real world contains the environment Z and the players P,,..., P, all of whom 
are modelled as interactive Turing machines (ITM’s). The players communicate 
on a synchronous network using open channels or perfectly secure pairwise com- 
munication as specified earlier. In line with the discussion above, the environment 
Z should be thought of as a conglomerate of everything that is external to the 
protocol execution. This includes the adversary, so therefore Z can do everything 
we described earlier for an adversary, i.e., it can corrupt players passively /actively 
and statically/adaptively, according to an adversary structure A. This is called a 
A-environment. The players follow their respective programs specified in protocol 
am, until they are corrupted and possibly taken over by Z. In addition to this, Z 
also communicates with the honest players, as follows: in every round Z sends a 
(possibly empty) input to every honest player, and at the end of every round each 
honest player computes a result that is then given to Z. 

When the protocol is finished, Z outputs a single bit, the significance of 
which we will return to shortly. In addition to other inputs, all entities get as 
initial input a security parameter value k, which is used to control the security 
level of the execution, e.g., the size of keys to use in the cryptographic scenario. To 
fully formalize the description, more details need to be specified, such as the exact 
order in which the different ITM’s are activated. Details on this can be found in 
the appendix. 
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The ideal world contains the same environment we have in the real world, but there 
are no players. Instead, we have an ideal functionality F, and a simulator S. As 
mentioned above, F' cannot be corrupted, and it will be programmed to carry out 
whatever task we want to execute securely, such as computing a function. Recall 
that we described the interface of F: F has an input and an output port for every 
player in the real protocol, and corrupt input/output ports, for communication 
with the environment/adversary. 

The whole idea is that the environment Z we looked at in the real world 
should be able to act in the same way in the ideal world. Now, Z has two kinds of 
activities. First, it is allowed to send inputs to the honest players and see their out- 
puts. We handle this by relaying these data directly to the relevant input/output 
ports of F’. Second, Z expects to be able to attack the protocol by corrupting 
players, seeing all data they send/receive and possibly control their actions. For 
this purpose, we have the simulator S. Towards Z, S attempts to provide all the 
data Z would see in a real attack, namely internal data of newly corrupted players 
and protocol messages that corrupted players receive. We want Z to work exactly 
like it does in the real world, so therefore S must go through the protocol in the 
right time ordering and in every round show data to Z that look like what it 
would see in the real world. S is not allowed to rewind Z. The only help S gets 
to complete this job is that it gets to use the corrupt input/output ports of F, 
i.e., towards F’, it gets to provide inputs and see outputs on behalf of corrupted 
players. Concretely, as soon as Z issues a request to corrupt player P;, both S and 
F are notified about this. Then the following happens: S is given all input/outputs 
exchanged on the 7’th input/output ports of F until now. F then stops using in- 
put/output port number 7. Instead it expects S to provide inputs “on behalf of 
P,” on the corrupt input port and sends output meant for P; to S on the corrupt 
output port. One way of stating this is: we give to S exactly the data that the 
protocol is supposed to release to corrupt players, and based on this, it should be 
possible to simulate towards Z all the rest that corrupted players would see in a 
real protocol execution. 

It is quite obvious that whatever functionality we could possibly wish for, 
could be securely realized simply by programming F' appropriately. However, do 
not forget that the ideal world does not exist in real life, it only provides a spec- 
ification of a functionality we would like to have. The point is that we can have 
confidence that any reasonable security requirement we could come up with will 
be automatically satisfied in the ideal world, precisely because everything is done 
by an uncorruptible party — and so, if we can design a protocol that is in a strong 
sense equivalent to the ideal functionality, we know that usage of the protocol will 
guarantee the same security properties — even those we did not explicitly specify 
beforehand! 

We can now start talking about what it means that a given protocol 7 securely 
realizes ideal functionality F’. Note that the activities of Z have the same form 
in real as in ideal world. So Z will output one bit in both cases. This bit is a 
random variable, whose distribution in the real world may depend on the programs 
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of 7, Z and also on the security parameter k and Z’s input z. We call this variable 
REAL, z(k, z). Its distribution is taken over the random choices of all ITM’s that 
take part. Similarly, in the ideal world, the bit output by Z is a random variable 
called IDEAL rs,z(k, z). We then have: 


Definition 1. We say that 7 A-securely realizes F’, if there exists a polynomial time 
simulator S such that for any A-environment Z and any input z, we have that 


|Pr( REAL, Adv(k, z) = 0) — Pr( IDEAL ps aav(k, z) = 0)| 
is negligible in k. 


Here, negligible in k means, as usual, that the entity in question is smaller 
than 1/f(k) for any polynomial f() and all sufficiently large k. 

Some remarks on how to interpret this definition: The output bit of Z can be 
thought of as its guess at which world it is in. So the definition basically demands 
that there is a simulator S using not too much computing power such that for every 
environment in which the protocol is used, the protocol can be replaced by the ideal 
functionality without the environment noticing this. So in this sense, the definition 
says that using the protocol is “equivalent” to using the ideal functionality. 

For instance, the definition implies that the protocol does not release more 
information to corrupt players than it is “allowed to”: in the ideal world, the sim- 
ulator S gets results for corrupted players directly from F’, and based on only this, 
S can produce a view of the protocol that looks exactly like what corrupt players 
would see in the real world. The definition also implies that honest players get cor- 
rect results: this is automatically ensured in the ideal world, and any mismatch in 
the real world could be detected by Z so that the definition could not be satisfied. 

There are several possible variants of this definition. The one we gave requires 
so-called statistical security, but can be made stronger by requiring that the two 
involved probabilities are equal for all k, and not just close. This is called perfect 
security. In both cases we consider all (potentially unbounded) adversaries and 
environments. This fits with the i.t. scenario. For the cryptographic scenario, we 
need to restrict adversaries and environments to polynomial time, and we will only 
be able to prove protocols relative to some complexity assumption — we then speak 
of computational security. 


2.4.4. Composition of Protocols. The most useful feature of universally compos- 
able security as defined here is exactly the composability: Let us define a G-hybrid 
model, as follows: G is assumed to be an ideal functionality, just like we described 
above. A protocol 7 in the G-hybrid model is a real-world protocol that is also 
allowed to make calls to G through the usual interface, that is, honest player P; 
may privately specify inputs to G by sending data directly to the 7’th input port, 
and G returns results to P; on the z’th output port. If the environment corrupts 
a player, it uses the corrupt input/output ports of G to exchange data on behalf 
of the corrupted player. The model allows the protocol to run several indepen- 
dent instances of G, and there is no assumption on the timing of different calls, in 
particular, they may take place simultaneously. 
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Of course, 7 may itself be a secure realization of some ideal functionality F’, or 
put another way: 7 describes how to implement F' securely, assuming functionality 
G is available. This is defined formally in the same way as in Definition 1, but with 
two changes: first, we replace in the definition the real world with the G-hybrid 
model. And second, the ideal world is modified: the simulator must create a setting 
that to the environment looks like a protocol execution in the G-hybrid model, 
even though no G is available. So therefore all messages Z wants to send to G will 
go to the simulator S, and S must then create responses “from G”. 

Now suppose we have a protocol p that securely realizes G in the real world. 
We let 7? denote the real-world protocol that is obtained by replacing each call 
in 7 to G by a call to p. Note that this may cause several instances of p to be 
running concurrently. We make no assumption on any synchronization between 
these instances. Then we have the following, which is proved in the appendix: 


Theorem 1. If protocol 7 in the G-hybrid model securely realizes F, and protocol 
p in the real world securely realizes G, then protocol 7? securely realizes F in the 
real world. 


As we shall see, this result is incredibly useful when constructing and proving 
protocols: when building 7, we can assume that ideal functionality G is “magically” 
available, and not worry about how to implement it. When we build p, we only 
have to worry about realizing G, and not about how the protocol will be used 
later. 


3. Results on MPC 


We now list some important known results on MPC. A remark on terminology: the 
security definition works with an environment Z, that includes the adversary as an 
integrated part that may potentially influence everything the environment does. 
It is therefore really a matter of taste whether one wants to speak of Z as “the 
environment” or “the adversary”. In the following, we will use both terms, but the 
formal interpretation will always be the entity Z as defined above. Furthermore, 
when we speak below of “securely computing” a function, this formally means 
securely realizing a functionality Fyypc that is defined in more detail later. 


3.1. Results for Threshold Adversaries 


The classical results for the information-theoretic model due to Ben-Or, Gold- 
wasser and Wigderson [4] and Chaum, Crépeau and Damgard [10] state that every 
function can be securely computed with perfect security in presence of an adaptive, 
passive (adaptive, active) adversary, if and only if the adversary corrupts less than 
n/2 (n/3) players. The fastest known protocols can be found in Gennaro, Rabin 
and Rabin[19]. 

When a broadcast channel is available, then every function can be securely 
computed with statistical security in presence of an adaptive, active adversary if 
and only if the adversary corrupts less than n/2 players. This was first shown by 
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Rabin and Ben-Or[29]. The most efficient known protocols in this scenario are by 
Cramer, Damgard, Dziembowski, Hirt and Rabin [12]. 

The most general results for the cryptographic model are by Goldreich, Micali 
and Wigderson [20] who showed that, assuming trapdoor one-way permutations 
exist, any function can be securely computed with computational security in pres- 
ence of a static, active adversary corrupting less than n/2 players and by Canetti 
et al. who show [7] that security against adaptive adversaries in the cryptographic 
model can also be obtained, although at the cost of a significant loss of efficiency. 
Under specific number theoretic assumptions, Damgard and Nielsen have shown 
that adaptive security can be obtained without essential loss of efficiency, com- 
pared to the best known statically secure solutions [17]. 


3.2. Results for General Adversaries 


Hirt and Maurer [21] introduced the scenario where the adversary is restricted to 
corrupting any set in a general adversary structure. 

In the field of secret sharing we have a well-known generalization from thresh- 
old schemes to secret sharing over general access structures. Hirt and Maurer’s 
generalization does the same for multiparty computation. One may think of the 
sets in their adversary structure as corresponding in secret sharing terminology to 
those subsets that cannot reconstruct the secret. 

Let @2 (and Q3) be the conditions on a structure that no two (no three) of 
the sets in the structure cover the full player set. The result of [21] can be stated as 
follows: In the information-theoretic scenario, every function can be securely com- 
puted with perfect security in presence of an adaptive, passive (adaptive, active) 
A-adversary if and only if A is Q2 (@Q3). This is for the case where no broadcast 
channel is available. The threshold results of [4], [10], [20] are special cases, where 
the adversary structure contains all sets of size less than n/2 or n/3. 

This general model leads to strictly stronger results. Consider, for instance, 
the following infinite family of examples: Suppose our player set is divided into 
two groups X and Y of m players each (n = 2m) where the players are on friendly 
terms within each group but tend to distrust players in the other group. Hence, 
a coalition of active cheaters might consist of almost all players from X or from 
Y, whereas a mixed coalition with players from both groups is likely to be quite 
small. Concretely, suppose we assume that a group of active cheaters can consist 
of at most 9m/10 players from only X or only Y, or it can consist of less than m/5 
players coming from both X and Y. This defines an adversary structure satisfying 
Q3, and so multiparty computations are possible in this scenario. Nevertheless, no 
threshold solution exists, since the largest coalitions of corrupt players have size 
more than n/3!. The intuitive reason why threshold protocols fail here is that they 
will by definition have to attempt protecting against any coalition of size 9m/10 — 
an impossible task. On the other hand this is overkill because not every coalition 


lt can be shown that no weighted threshold solution exists either for this scenario, i.e., a solution 
using threshold secret sharing, but where some players are given several shares. 
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of this size actually occurs, and therefore multiparty computation is still possible 
using more general tools. 

The protocols of [21] rely on quite specialized techniques. Cramer, Damgard 
and Maurer [13] show that any linear secret sharing scheme can be used to build 
MPC protocols. A linear secret sharing scheme is one in which each share is fixed 
linear function (over some finite field) of the secret and some random field elements 
chosen by the dealer. Since all the most efficient general techniques for secret 
sharing are linear, this gives the fastest known protocols for general adversary 
structures. They also show that the Q2 condition is necessary and sufficient for 
MPC in the cryptographic scenario. 


4. MPC Protocols 


In this section we will sketch how to show some of the general results we listed 
above. More precisely, we will look at ways to securely realize the following func- 
tionality, where we assume a threshold adversary that can corrupt at most ¢ play- 
ers, and the function to be computed is a function f : ({0,1}*)” — ({0,1}*)”. 

Some notation: when we say that a functionality receives a message of form 
(P; : mes), this means that if P; is honest at this point, mes was received on the 
ith input port, and if P; has been corrupted, P; : mes was received on the corrupt 
input port, i.e., it was sent by environment or simulator as a message on behalf of 
a corrupted player. 


Functionality Faypc 
The behavior of the functionality depends on two integer parameters Input Delay, 
ComputeDelay, that are explained in more detail below. 

1. Initially, set x; = L (the empty string) for i=1,...,n. 

2. In the first round, collect all messages received of form (P; : Input,v), and 
let I be the set of P,;’s occurring as senders. If J includes all honest players, 
set x; = v, for each P; € I and send “Inputs received” on the corrupt output 
port. If J does not include the set of honest players, send all internal data to 
the corrupt output port and stop. 

If in a round before round number InputDelay, (P; : change,v’) for 
corrupt player P; is received, set x; = v’ (note that we may have v’ = L.) 

3. If any non-empty message is received from an honest player after Step 2, send 
all internal data to the corrupt output port and stop. Wait ComputeDelay 
rounds, then set (y1,.--,Yn) = f(@1,.--,@n), send y; to P; (on the 7’th output 
port if P; is honest, and otherwise on the corrupt output port). 


Two remarks on this functionality: The intended way to use the functionality is 
that all honest players should send their inputs in the first round (along with those 
corrupt players that want to contribute input), and after this point no honest player 
should send input. The functionality is defined such that security is only required 
if it is used as intended. If anything else happens, all internal data are revealed 
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(to environment or simulator) and it becomes trivial to simulate. The reason for 
the peculiar way to define the input step is to model that honest players must 
know from the start what input they contribute, but a corrupt player need not 
be bound to its input until after InputDelay rounds, and may for instance start 
the protocol honestly and then stop. The functionality waits for ComputeDelay 
rounds before it sends the results out. This is to model the fact that the protocol 
implementing the actual computation takes some number of rounds to finish. 

To build a concrete protocol for this problem, we assume that a fixed finite 
field K is given, and that the function we want to compute is specified as an 
arithmetic circuit over K. That is, all input values are elements in K and the 
desired computation is specified as a number of additions and multiplications in 
K of the input values (or intermediate results). This is without loss of generality: 
Any function that is feasible to compute at all can be specified as a polynomial 
size Boolean circuit using, for instance, and, or and not-operations. But any such 
circuit can be simulated by operations in K: Boolean values true or false can be 
encoded as 1 resp. 0. Then the negation of bit b is 1 — b, the and of bits b, b’ is b-b’ 
and the or becomes 1 — (1 — 6)(1— 0’). 

The only necessary restriction on K is that |K| > n, but we will assume for 
concreteness and simplicity that kK = Z, for some prime p > n. 


Our main tool to build the protocol will be Secret Sharing, in particular 
Shamir’s scheme, which is based on polynomials over Kk. A value s € K is shared 
by choosing a random polynomial f,() of degree at most t such that f,(0) = s. 
And then sending privately to player P; the value f,(j). The well known facts 
about this methods are that any set of t or fewer shares contain no information 
on s, whereas it can be reconstructed from any t+ 1 or more shares. Both of these 
facts are proved using Lagrange interpolation: 


If h(X) is a polynomial of degree at most / and if C is a subset of K with 
|C| =1+1, then 
h(X) = S7 h(i)di(X), 
icC 
where 6;(X) is the degree / polynomial such that, for all 1,7 € C, 6;(7) =O if i 4 7 
and 6;(j) = 1 if ¢ = j. In other words, 


jeCiigi | I 
We briefly recall why this holds. The right hand side )),-¢ h(#)d;(X) is clearly a 
polynomial of degree at most / that on input i evaluates to h(i) for i = 1,...,n. 


Therefore, if it were not equal to h(X), the difference of the two polynomials 
would be a non-zero polynomial whose number of zeroes exceeds its degree — a 
contradiction. 


Another consequence of Lagrange interpolation is that if h(X) is a polynomial 
of degree at most n — 1, then there exist easily computable values r1,..., 7%, such 
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that 
h(0) = S> rjh() 
i=1 
Namely, r; = 6;(0). We call (r1,...,1%n) a recombination vector. 


We are going to need the following simple fact about recombination vectors: 


Lemma 1. Let (11,...,1n) be any recombination vector, and let I be any subset of 
{1,2,...,n} of size less than n/2. Then there always exists ani ¢ I with r; #0. 


Proof. Suppose we share values a,b resulting shares a),...,@n,61,...,bn, using 
polynomials f,g of degree < t, where ¢ is maximal such that t < n/2. Then 
a1b1, agb2,...,@nbn is a sharing of ab based on fg which is of degree at most 
2t < n-—1. If the Lemma was false, there would exist a set I of size at most t 
which could use r and their shares in a,b to compute ab, but this contradicts the 
fact that any t or fewer shares contain no information on a, b. 











Since the function we are to compute is specified as an arithmetic circuit over 
K, our task is, loosely speaking to compute a number of additions and multipli- 
cations in K of the input values (or intermediate results), while revealing nothing 
except for the final result(s). 





Exercise. A useful first step to build MPC protocols is to design a secret sharing 
scheme with the property that a secret can be shared among the players such 
that corruptible set has any information, whereas any non-corruptible set can 
reconstruct the secret. Shamir’s scheme shows how to do this for a threshold 
adversary structure, i.e., where the corruptible sets are those of size t or less. In 
this exercise we will build a scheme for the non-threshold example we saw earlier. 
Here we have 2m players divided in subsets X,Y with m players in each, and the 
corruptible sets are those with at most 9m/10 players from only X or only Y, and 
sets of less than m/5 players with players from both X and Y (we assume m is 
divisible by 10, for simplicity). 

e Suppose we shared secrets using Shamir’s scheme, with t = 9m/10, or with 
t = m/5 — 1. What would be wrong with these two solutions in the given 
context? 

e Design a scheme that does work in the given context. Hint: in addition to the 
secret s, create a random element u € K, and come up with a way to share it 
such that only subsets with players from both X and Y can compute u. Also 
use Shamir’s scheme with both t = 9m/10 and t = m/5 — 1. 


4.1. The Passive Case 


This section covers the i.t. scenario with a passive adversary. We assume a thresh- 
old adversary that can corrupt up to t players, where t < n/2. The protocol starts 
by 
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Input Sharing: Each player P; holding input x; € Kk secret shares x; using 
Shamir’s secret sharing scheme: he chooses at random a polynomial f of 
degree < t and sends a share to each player, i.e., he sends f(j) to P;, for 
PS Tye ky 


We then work our way gate by gate through the given arithmetic circuit over 
K, maintaining the following 


Invariant: All input values and all outputs from gates processed so far are secret 
shared, i.e. each such value a € K is shared into shares a),...,@n, where P; 
holds a;. Remark: if a depends on an input from an honest player, this must 
be a random set of shares with the only constraint that it determines a. From 
the start, no gates are processed, and only the inputs are shared. 


To determine which gate to process next, we simply take an arbitrary gate for 
which both of its input have been shared already. 

Once a gate producing one of the final output values y has been processed, y 
can be reconstructed in the obvious way by broadcasting the shares y1,..., Yn, Or 
if y is a value that should go to only player P;, the shares are sent privately to P;. 

It is therefore sufficient to show how addition and multiplication gates are 
handled. Assume the input values to a gate are a and 6, determined by shares 
Q1,-.-,@y and bj,...,bn, respectively. 


Addition: For i= 1,...,n, P; computes a; + b;. The shares a, + 01,...,@n + bn 
determine a + b as required by the invariant. 
Multiplication: For 1 =1,...,n, P; computes a; - bj = &. 
Resharing step: P; secret shares ¢;, resulting in shares ¢j1,...,Cin, and 
sends ¢;; to player P;. 
Recombination step: For 7 = 1,...,n, player P; computes cj; = 
pa ricij, Where (r1,...,7n) is the recombination vector. The shares cj,..., 
Cn determine c = ab as required by the invariant. 


Note that we can handle addition and multiplication by a constant c by 
using a default sharing of c generated from, say, the constant polynomial f(x) = 
c. We are going to assume that every output from the circuit comes out of a 
multiplication gate. This is without loss of generality since we can always introduce 
a multiplication by 1 on the output without changing the result. This is not strictly 
necessary, but makes life easier in the proof of security below. 


4.1.1. Proof of Security for the Passive Case. In this section, we will argue the 
following result: 


Theorem 2. The protocol described in the previous section realizes Fyzpc in the 
i.t. scenario with perfect security against an unbounded, adaptive and passive en- 
vironment corrupting at most t < n/2 players, and with InputDelay = 1 and 
ComputeDelay equal to the depth of the circuit used to implement the function 
computed. 
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For simplicity, we show here a proof of security assuming that each player P; 
gets as input a single value x; € K, and is to receive a single value y; € K. This 
generalizes trivially to the case where inputs and outputs can be several values in 
K. 


Recall that to prove security, our task is to build a simulator S which interacts 
with the environment Z and the ideal functionality. 


Since corruptions are passive, we may assume that Z specifies messages for 
corrupt players to send by following the protocol, by definition of the model these 
messages are given to S, and S must generate messages on behalf of honest players 
and show these to Z. 


As a result of this, the algorithm of S is as follows, where throughout, A 
denotes the currently corrupted set, specified as a set of indices chosen from 
{1,2,...,n}: 


1. Whenever Z requests to corrupt a new player P;, S will as a result see the 
inputs (if any) specified so far for P; by Z and results received from Fiy pc 
(and will from now on learn future inputs and outputs). Now, S will use 
this information to reconstruct a complete view of P; taking part in the 
protocol up the point of corruption, and will show this view to Z. The view 
must, of course, be consistent with what Z has seen so far. We describe this 
reconstruction procedure in more detail below. Finally, we set A := AU {¢}. 
Note that these corruptions may take place at any point during the simulation 
below of input sharing, computation and output generation. 

2. In the first round, S will learn, by definition of Fiypc, whether Z has used 
the functionality correctly, i.e., whether it has specified inputs for all honest 
players or not. If not, all inputs are revealed, and it becomes trivial to simu- 
late. So we continue, assuming inputs were specified as expected. S specifies 
arbitrary input values for corrupt players and send them to Fiyypc (this is no 
problem, we will learn the correct values soon). 

In the next round, S does the following for each player P;: if7 € A, record 
the shares Z has generated on behalf of corrupt players, and reconstruct x; 
(which is easy by the assumption that Z follows the protocol). Send (P; : 
change, x;) to Furec. 

If « ¢ A, choose t random independent elements in K send these to Z 
and record them for later use. These elements play the role of the shares of 
x; held by corrupt players. 

3. S must now simulate towards Adv the computation and reconstruction of the 
outputs. To simulate the computation, S goes through the circuit with the 
same order of gates as in the real protocol. 

For each addition gate, where we add intermediate results a,b, each 
corrupt P; holds shares a;,b; (which are known to S). S now simply records 
the fact that P; now should add the shares to get c; = a;+6;, and also records 
c;, as the share of a + 6 known by P;. 
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For each multiplication gate, where we multiply intermediate results a, b, 
each corrupt P; holds shares a;, b; of a,b. S sets ¢; = a;b;, watches perform Z 
a normal secret sharing of ¢; and record for later use the shares c;; generated. 
For each honest P;, S chooses random values {c;;| P; € A} to simulate the 
resharing done by honest players and sends the values to Adv. Finally, S$ 
records the fact that each corrupt P; now computes cj = do}, ricij, and 
also records c; as the share of ab known by P;. 


. To simulate the computation of the final result, S uses the fact that it knows 


from Fyypc the result y; for each corrupt P;. From the simulation of the 
circuit in the previous step, S has created a value s; for each P; € A, and 
this value plays the role as P;’s share of y;. 

S now computes a polynomial f,,() of degree at most t such that 
fy,(0) = y: and fy,(j) = s; for all P; € A. Then S sets s; = fy,(j) for 
all P; ¢ A, and sends these values to Adv, pretending that these are the 
shares in y; sent to P; by honest players. 


. Finally, we describe how S can reconstruct the view of a player P; taking part 


in the protocol up to a given point, such that this is consistent with the data 
generated by S so far. This can be thought of as a list of polynomials chosen 
by P; in order to secret share various values and a list of shares received from 
other players. We describe how to do the reconstruction when the entire 
computation has already taken place. This is without loss of generality: if 
P; is corrupted earlier, we just truncate the reconstruction procedure in the 
natural way. 

Input sharing: We now know 2;, the input of P;, and S has already spec- 
ified random shares r; for P; € A. Now choose a random polynomial 
fr, () of degree at most t subject to fz,(0) = i, fe,(g) = 1r;. List fr,() as 
the polynomial used by P; to share x;. As for inputs shared by another 
player P,, do as follows: if P;, € A, a polynomial f,, () for x, has already 
been chosen, so just list f,,(i) as the share received by P;. If Py ¢ A, 
choose a random value as the share in xx received by P;. 

Additions: We may assume that we already listed a;,b; as P;’s shares in 
the summands, so we just list a; + b; as his share in the sum. 

Multiplications: The following method will work for all multiplication op- 
erations except those leading to output values of already corrupted play- 
ers, which are handled in the next item. We may assume that we already 
listed a;,b; as P;’s share in the factors, so we compute ¢; = a;b;. We 
now reconstruct P,’s sharing of ¢; in exactly the same way as we recon- 
structed his sharing of x; above. We also follow the method from input 
sharing to reconstruct the shares P; receives of €,’s of other players. Fi- 
nally we can compute c;, P;’s share in the product following the normal 
interpolation algorithm from the protocol. 
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Output generation: As for y;, the output of P;, this is now known from 

Furpec, and the shares in y; held by corrupt players have been fixed ear- 
lier, so we follow the same method for simulating the shares P; receives 
in output reconstruction stage that we already described above. 
For an output value y; of an already corrupted player P;, we have the 
problem that we already showed to the adversary what was supposed to 
be F,’s share s; in y;. Recall we assumed that any output y; comes from 
a multiplication gate. So we have to specify the values involved in P,’s 
handling of this multiplication such that they will be consistent with s,, 
but also consistent with the view of P; we generated so far. This is done 
as follows: Let the multiplication in the circuit leading to y; be y; = ab, 
let a;, b; be the shares in a, b we already specified for P;, and let ¢; = a,b;. 
The multiplication protocol involves sharing ¢;, and this has already 
taken place, in the sense that S has sent random values c;; to players in 
A pretending they came from P;. So we now choose a random polynomial 
fe,() of degree at most t such that fz,(0) = Gi, fe,(g) = cij,7 © A, list 
this as the polynomial chosen by P; for the multiplication. Finally, P; 
receives in the real protocol shares c;;, for every 7, and is supposed to 
compute his share in the product as s; = a r7C;;. Of the c;;’s, we have 
already fixed the ones coming from corrupt players, {c,;|j7 € A} and 
ci = fz,(t), altogether at most ¢ values (P; has just been corrupted, 
so there could be at most t — 1 corruptions earlier). We now choose 
the remaining values cj; as random independent values, subject only 
to 5; = > gf TICH- So actually, we select a random solution to a linear 
equation. By Lemma 1, there always exists a solution. 


This concludes the description of S. To show that S works as required, we 
begin by fixing, in both the real and ideal world, arbitrary values for the input 
and random tape of Z. This means that the only source of randomness is the 
random choices of the players in the real world and those of S in the ideal world. 
We claim that, for every set of fixed values, Z sees exactly the same distribution 
when interacting with the ideal as with the real world, if we use S in the ideal 
world as described above. This of course implies that the protocol realizes Fyy pc 
with perfect security since Z will then output 1 with the same probability in the 
two cases. 


What Z can observe is the outputs generated by the players, plus it sees the 
view of the corrupt players as they execute the protocol. It will clearly be sufficient 
to prove the following 
Claim: In every round j, for 7 = 0 up to the final round, the view of Z has the 
same distribution in ideal as in real world, given the fixed input and random tape 
for Z. 

We argue this by induction on j. The basis 7 = 0 is trivial as nothing has 
happened in the protocol before the first round. So assume we have completed 
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round j having produced some correctly distributed view for Z so far. We need to 
argue that given this, what S shows to Z in round 7 + 1 is correctly distributed. 

Assume first that 7+ 1 is not the final round. Then the only messages Z will 
see from honest players are sharings of values they hold. This is simulated perfectly: 
both in simulation and in real protocol, the adversary sees < t independent random 
values in K as a result of every such sharing. Indeed, it is straightforward to 
show, using interpolation, that any vector of < t shares of a random threshold-t 
Shamir sharing consists of independent random values. The only other source of 
information for Z is what it will see as a result of corrupting a player P; in round 
j+1. Since round j+1 is not the final round, the view reconstruction procedure will 
only execute the input sharing, addition and multiplication steps. By definition of 
the model, we start with the correct value of x;, and also with correctly distributed 
shares of inputs of other players. It is then straightforward to see that the rest of 
the values in the view follow in a correct way from the starting values. 

Then assume that round 7 + 1 is the final round. This means that Z will see 
results for all players. In the ideal world, these results are computed according to 
the given function by Faspc from the inputs specified by Z. But in the real world, 
one can check by straightforward inspection of the protocol that all players will 
compute the same function of the inputs specified by Z. In addition, Z will see 
the corrupted players’ view of the output reconstruction. Note that by induction 
hypothesis, the shares in a final result y; held by corrupted players just before 
the output reconstruction stage has the same distribution in simulation as in real 
life. If y; goes to an honest player, nothing further is revealed. If y; goes to a 
corrupt player, observe that in the real protocol, the polynomial that determines 
y; is random of degree at most t with the only constraint that it determines y; 
and is consistent with the shares held by corrupt players — since by Lemma 1, at 
least one random polynomial chosen by an honest player is added into the poly- 
nomial determining y;. It is now clear that the procedure used by S' to construct 
a corresponding polynomial leads to the same distribution. Finally, one can check 
by inspection and arguments similar to the above, that also the output genera- 
tion step of the procedure for reconstructing the view of a newly corrupted player 
P, chooses data with the correct distribution, again conditioned on inputs and 
random tapes we fixed for Z and everything Z has seen earlier. 


4.1.2. Optimality of Corruption Bound. What if t > n/2? We will argue that then 
there are functions that cannot be computed securely. 

Towards a contradiction, suppose there is a protocol II, with perfect privacy 
and perfect correctness for two players P,, P2 to securely evaluate the logical AND 
of their respective private input bits 61, be, i-e., by A be. 

Assume that the players communicate using a perfect error-free communi- 
cation channel. One of the players may be corrupted by an infinitely powerful, 
passive adversary. 

Without loss of generality, we may assume the protocol is of the following 
form. 


Multiparty Computation, an Introduction 59 


1. Each player P; has a private input bit b;. Before the protocol starts, they 
select private random strings p; € {0,1}* of appropriate length. 
Their actions in the forthcoming protocol are now uniquely determined 
by these initial choices. 
2. P, sends the first message m1, followed by P2’s message m2}. 
This continues until P2 has sent sufficient information for P, to compute 
r = b; A by. Finally, P, sends r (and some halting symbol) to P». 
The transcript of the conversation is 


LS (mi1, mai, teey mat, M2, 1). 
For i = 1,2, the view of P; is 
view; = (b;, pi, T). 


Perfect correctness means here that the protocols always halts (in a number 
of rounds ¢ that may perhaps depend on the inputs and the random coins) and 
that always the correct result is computed. 

Perfect privacy means that given their respective views, each of the players 
learns nothing more about the other player’s input b’ than what can be inferred 
from the own input b and from the resulting function output r= bA 0’. 

Note that these conditions imply that if one of the players has input bit equal 
to 1, then he learns the other player’s input bit with certainty, whereas if his input 
bit equals 0, he has no information about the other player’s input bit. 


We now argue that there is a strategy for a corrupted P, to always correctly 
determine the input bit bz of Pj, even if his input 6; equals 0, thereby contradicting 
privacy. 

Let P, have input bit b; = 0, and let the players execute the protocol, result- 
ing in some particular transcript T. 

If P, has input bit b2 = 0, he doesn’t learn anything about 6; by privacy. 
Hence, the transcript is also consistent with b; = 1. 

But if b2 = 1, then by correctness, the transcript cannot also be consistent 
with b; = 1: in that case its final message r is not equal to the AND of the input 
bits. 

This gives rise to the following strategy for P,. 


1. P, sets by = 0. 

2. Py and P, execute the assumed protocol II. This results in a fixed transcript 
Ts 

3. P, verifies whether the transcript T = (m1, ma1,...,™14,™Ma2t,7) is also 
consistent with b, = 1. 

The consistency check can be performed as follows. P; checks whether 
there exists a random string 0) such that the same transcript 7 results, given 
that P, starts with b} = 1 and o,. 

P, can do this with an exhaustive search over all o, and “simulating” 
P, by having him “send” the same messages as in the execution. 
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More precisely, he first checks whether (b; = 1,01) leads to m1. If so, 
he “receives” P3’s message m1, and checks whether his own next message 
would equal m2, and so forth, until perhaps exactly the same transcript T 
results. 

This process may take a long time, but that doesn’t hurt since we have 
assumed an all powerful adversary. 

4. If so, he decides that bz = 0. Otherwise he decides that b2 = 1. 


Similar arguments can be given if we relax the assumptions on privacy and 
correctness. 

The assumptions about the players’ computational resources and the com- 
munication channel are essential. 

It can be shown that any of the following conditions is sufficient for the 
existence of a secure two-party protocol for the AND function (as well as OR). 


1. Existence of trapdoor one-way permutations. 
2. Both players are memory bounded. 
3. The communication channel is noisy. 


In principle, this leads to secure two-party protocols for any function. For 
more information, see for instance [14]. 


4.2. The Active Case 


In this section, we show how to modify the protocol secure against a passive ad- 
versary to make it secure also against active cheating. We will postulate in the 
following that we have a certain ideal functionality Foom available. This function- 
ality can then be implemented both in the i.t. and the cryptographic scenario. We 
consider such implementations later. 

We note already now, however, that in the cryptographic scenario, Foom 
can be implemented if t < n/2 (or in general, the adversary is Q2) and we make 
an appropriate computational assumption. In the i.t. scenario we need to require 
t < n/3 in case of protocols with zero error and no broadcast given. If we assume 
a broadcast channel and allow a non-zero error, then t < n/2 will be sufficient. All 
these bounds are tight. 

Before we start, a word on broadcast: with passive corruption, broadcast is 
by definition not a problem, we simply ask a player to send the same message 
to everyone. But with active adversaries where no broadcast is given for free, 
a corrupt player may say different things to different players, and so broadcast 
is not immediate. Fortunately, in this case, we will always have that t < n/3 
for the i.t. scenario and t < n/2 for the cryptographic scenario, as mentioned. 
And in these cases there are in fact protocols for solving this so called Byzantine 
agreement problem efficiently. So we can assume that broadcast is given as an ideal 
functionality. In the following, when we say that a player broadcasts a message, 
this means that we call this functionality. Although real broadcast protocols take 
several rounds to finish, we will assume here for simplicity that broadcast happens 
in one round. 
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4.2.1. Model for Homomorphic Commitments and Auxiliary Protocols. We will 
assume that each player P; can commit to a value a € K. This will later be im- 
plemented by distributing and/or broadcasting some information to other players. 
We model it here by assuming that we have an ideal functionality Foom. To com- 
mit, one simply sends a to Foom, who will then keep it until P; asks to have it 
revealed. Formally, we assume Foom is equipped with the two commands Commit 
and Open described below (more will be defined later). 


Some general remarks on the definition of Foom: since the implementation 
of any of the commands may require all (honest) players to take part actively, we 
require that all honest players in a given round send the same command to Foom 
in order for the command to be executed. In some cases, such as a commitment 
we can of course not require that all players send exactly the same information 
since only the committing players knows the value to be committed to. So in such 
a case, we require that the committer sends the command and his secret input, 
while the others just send the command. If Foom is not used as intended, e.g., the 
honest players do not agree on the command to execute, Foom will send all it’s 
private data to all players and stop working. As with Fyypc, this is just a way to 
specify that no security is required if the functionality is not used as intended. 


Notation: CurrentRound always denotes the index of the current round. 
Some commands take some number of rounds to finish. This number for command 
Xxx is called XxxDelay. 


Commit: This command is executed if in some round player P; sends (commit, i, 
cid, a) and in addition all honest players send (commit, i, cid, ?). In this case 
Foom records the triple (7, cid,a). Here, cid is just an identifier, and a is 
the value committed to. We require that all honest players agree to the fact 
that a commitment should be made because an implementation will require 
the active participation of all honest players. If P; is corrupted and in a 
round before CurrentRound+ Commit Delay sends (commit, i, cid, a’), then 
(i, cid, a) is replaced by (i, cid,a’). A corrupt player may choose to have a 
be L and not a value in K. This is taken to mean that the player refuses to 
commit. 

In round CurrentRound + CommitDelay, if 1, cid,a, a € K is stored, 
send (commit, i, success) to all players. If a= L send (Commit, i, fail). 

Open: This command is executed if in some round all honest players send 
(open, t, 
cid). In addition P; should send x, where x may be accept or refuse, and 
where x = accept if P; is honest. In this case Foom looks up the triple 
(i, cid, a), and if x = accept, it sends in the next round (open, cid, a) to all 
players, else it sends (open, cid, fail). 

As a minor variation, we also consider private opening of a commit- 
ment. This command is executed if in some round all honest players send 
(open, i, cid, 7). The only difference in its execution is that Foom sends its 
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output to player P; only, rather than to all players. The effect is of course 

that only P; learns the committed value. 

The symbol |-]; denotes a variable in which Foom keeps a committed value 
received from player P;. Thus when we write [a];, this means that player P; has 
committed to a. It is clear from the above that all players know at any point 
which committed values have been defined. Of course, such a value is not known 
to the players (except the committer), but nevertheless, they can ask Foom to 
manipulate committed values, namely to add committed values, multiply them 
by public constants, or transfer a committed value to another player (the final 
operation is called a Commitment Transfer Protocol (CTP)): 


CommitAdd: This command is executed if all honest players send (commitadd, 
cid1, cid2, cid3) (in the same round), and if triples (2, cid1, a), (i, cid2, b) have 
been stored previously. Then Foom stores the triple (7, cid3, a + b). 

ConstantMult: This command is executed if all honest players send 
(constantmult, cid1, cid2,u) (in the same round) where u € K, and if a 
triple (¢,cid1,a) has been stored previously. Then Foom stores the triple 
(i, cid2, u- a). 

CTP: This command is executed if all honest players send (ctp, 2, cid1, j, cid2) 
(in the same round), and if a triple (¢, cid1, a) has been stored earlier. If P; is 
corrupt, he may send (cid1, refuse) in some round before CurrentRound + 
CT PDelay. If this happens, then Foom sends (cid1, cid2, fail) to all players. 
Otherwise, Fcom stores (j, cid2, a), sends a to P;, and (cid1, cid2, success) to 
everyone. 

In our abbreviated language, writing [a]; + [b]; = [a + b]; means that the 
CommitAdd command is executed, creating [a + b];, and w- [a]; = [ua]; refers to 
executing the ConstantMult command. The CTP command can be thought of as 
creating [a]; from [a];. Note that we only require that the addition can be applied 
to two commitments made by the same player. Note also that there is no delay 
involved in the CommitAdd and ConstantMult commands, so an implementation 
cannot use any interaction between players. 

A last basic command we assume is that Foom can be asked to confirm that 
three commitments [a];, [6]:, [c]; satisfy that ab = c. This is known as a Commit- 
ment Multiplication Protocol (CMP). 

CMP: This command is executed if all honest players send (cmp, cid1, cid2, cid3) 
(in the same round), and if triples (4, cid1, a), (2, cid2, b), (7, cid3, c) have been 
stored earlier. If P; is corrupt, he may send (cid1, cid2, cid3, refuse) in some 
round before Current Round+CM P Delay. If this happens, or if ab 4 c, then 
in round CurrentRound+ CM P Delay, Foom sends (cid1, cid2, cid3, fail) to 
all players. Otherwise, Foom sends (cid1, cid2, cid3, success) to everyone. 
The final command we need from Foom is called a Commitment Sharing 

Protocol (CSP). It starts from [a]; and produces a set of commitments to shares 
of a: [ai]i,.--,[@n]n, where (a1,...,@») is a correct threshold-t Shamir-sharing of 
a, generated by P;. More formally: 
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CSP: This command is executed if all honest players send (csp, cid0, cidl,..., 
cidn) (in the same round), and if a triple (i, cid0, a) has been stored earlier. 
If P; is honest, he should also send (coefficients of) a polynomial f,() of 
degree at most t, such that f,(0) = a. If P; is corrupt, he may send a correct 
polynomial in some round before number CurrentRound + CSPDelay, or 
he may send (cid0, cidl,...,cidn, refuse). When we reach round number 
Current Round+CSP Delay, if a correct polynomial has been received, store 
triples (j, cidj, fa(j)) for 7 = 1..n, and send (cid0, cidl,...,cidn, success) to 
everyone, else send cid0, cid1,...,cidn, fail). 
The CTP, CMP, and CSP commands are special: although they can be im- 
plemented “from scratch” like the other commands, they can also be implemented 
using the commands we already defined. For CTP, we have the following. 


Generic CTP Protocol 


1. Given a commitment [a];, P; sends privately to P; his total view of the 
protocol execution in which [a]; was created ?. If this information is in any 
way inconsistent, P; broadcasts a complaint, and we go to Step 4. 

Otherwise (if P; was honest) P; is a situation equivalent to having made 
[a]; himself. 

2. P; commits himself to a, resulting in [a];. 

3. We use the ConstantMult command to get [—a]; and the CommitAdd com- 
mand to get [a]; + [—a]; Note that, assuming that the information P; got 
in step 1 was correct, this makes sense since then the situation is equivalent 
to the case where P; had been the committer when [a]; was created. Then 
[a]; + [-a]; is opened, and we of course expect this to succeed with output 
0. If this happens, the protocol ends. Otherwise do Step 4. 

4. If we arrive at this step, it is clear that at least one of P;, P; are corrupt, so 
P,; must then open [a]; in public, and we either end with fail (if the opening 
fails) or a becomes public. We then continue with a default commitment to 
a assigned to P;. 


For CMP, we describe this protocol for a prover and a single verifier. To 
convince all the players, the protocol is simply repeated independently (for instance 
in parallel), each other player P; taking his turn as the verifier. In the end, all 
verifying players broadcast their decision, and the prover is accepted by everyone 
if there are more than t accepting verifiers. This guarantees that at least one honest 
verifier has accepted the proof. 


Generic CMP Protocol 
1. Inputs are commitments [a]j, [b];, [cl]; where P; claims that ab = c. P; chooses 
arandom ( and makes commitments [(];, [G0];. 
2. Pj generates a random challenge r € K, and sends it to P;. 


? As is standard, the view of a protocol consists of all inputs and random coins used, plus all 
messages received during the protocol execution. 
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3. P; opens the commitments ria]; + [G]; to reveal a value r;. P; opens the 
commitment 11[b]; — [Gb]; — r[c]; to reveal 0. 
4. If any of these opening fail, P; rejects the proof, else he accepts it. 
It is easy to show that if P; remains honest, then all values opened are random 
(or fixed to 0) and so reveal no extra information to the adversary. If P; is corrupt, 
then it is also straightforward to show that if, after committing in step 2, P; can 
answer correctly two different challenges, then ab = c. Thus the error probability 
is at most 1/|K]. 


Finally, for CSP, assuming [a]; has been defined, P; chooses a random poly- 
nomial f, of degree at most t such that f,(0) = a. He makes commitments to the 
coefficients of f: [vi]i,..., [ve]i (the degree-0 coefficient of f, is a and has already 
been committed). Let (a1,...,@n) = (fa(1),..-, fa(n)) be the shares resulting 
from sharing a using the polynomial f,. Then the a,’s are a linear function of the 
committed values, and commitments to the shares ([a1];,..., [@n];) can be created 
by calling the CommitAdd and ContstantMult commands, e.g., 

[aj}i = [ali + [vr]i- 5 + [va]i- 9? +--+ + [vel a” 
Finally, we call CTP to create [a,], from [a,];, for 7 =1,...,n. 

Committing to a and then performing CSP is equivalent to what is known 
as verifiably secret sharing a (VSS): the value a is uniquely defined when the CSP 
is executed, and it is guaranteed that the honest players can reconstruct it: the 
commitments to shares prevent corrupted players from contributing false shares 
when the secret is reconstructed. All we need is that at least t+ 1 good shares are 
in fact revealed. 


4.2.2. An MPC Protocol for Active Adversaries. The protocol starts by asking 
each player to verifiably secret-share each of his input values as described above: he 
commits to the value and then performs CSP. If this fails, the player is disqualified 
and we take default values for his inputs. 

We then work our way through the given arithmetic circuit, maintaining as 
invariant that all inputs and intermediate results computed so far are verifiably 
secret shared as described above, i.e. each such value a is shared by committed 
shares [a1]1,.--,[@n]n where all these shares are correct, also those held by cor- 
rupted players. Moreover, if a depends on an input from an honest player, this 
must be a random set of shares determining a. From the start, only the input 
values are classified as having been computed. 

Once an output value y has been computed, it can be reconstructed in the 
obvious way by opening the commitments to the shares y1,...,Yn. This will suc- 
ceed, as the honest players will contribute enough correct shares, and a corrupted 
player can only choose between contributing a correct share, or have the opening 
fail. 

It is therefore sufficient to show how addition and multiplication gates are 
handled. Assume the input values to a gate are a and b, determined by committed 
shares fay|i, sans [an]n and [bi]i, er [Dn]n- 
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Addition: For i = 1..n, P; computes a; +b; and CommitAdd is called to create 
(a; +;];. By linearity of the secret sharing, [a1 +61]1,...,[@n+0n|]n determine 
a+ bas required by the invariant. 

Multiplication: For i = 1..n, P; computes a;-b; = ¢;, commits to it, and performs 
CMP on inputs [aili, [Dili, [Gili 

Resharing step: P; performs CSP on [é];, resulting in commitments 
[ear | tas toy 
[Cin]}n- 

We describe below how to recover if any of this fails. 

Recombination step: For j = 1..n, player P; computes cj = D>), ricij, 
where (r1,..-,;7n) is the recombination vector. Also all players compute 
(non-interactively) [cj]; = S77, rilew); = DOF, ricaj|;- By definition of 
the recombination vector and linearity of commitments, the commitments 
[cili,---,[Cn]n determine c = ab as required by the invariant. 


It remains to be described what should be done if a player P; fails in the 
multiplication and resharing step above. In general, the simplest way to handle 
such failures is to go back to the start of the computation, open the input values 
of the players that have just been disqualified, and restart the computation, simu- 
lating openly the disqualified players. This allows the adversary to slow down the 
protocol by a factor at most linear in n. This solution works in all cases. However, 
in the i.t. case when t < n/3, we can do better: after multiplying shares locally, 
we have points on a polynomial of degree 2t, which in this case is less than the 
number of honest players, n — t. In other words, reconstruction of a polynomial of 
degree 2t can be done by the honest players on their own. So the recombination 
step can always be carried out, we just tailor the recombination vector to the set 
of players that actually completed the multiplication step correctly. 


4.3. Realization of Foo: Information Theoretic Scenario 


We assume throughout this subsection that we are in the i.t. scenario and that 
t<n/3. 

We first look at the commitment scheme: The idea that immediately comes 
to mind in order to have a player D commit to a is to ask him to secret share a. 
At least this will hide a from the adversary if D is honest, and will immediately 
ensure the homomorphic properties we need, namely to add commitments, each 
player just adds his shares, and to multiply by a constant, all shares are multiplied 
by the constant. 

However, if D is corrupt, he can distribute false shares, and can then easily 
“open” a commitment in several ways, as detailed in the exercise below. 


Exercise A player P sends a value a; to each player P; (also to himself). P is 
supposed to choose these such that a; = f(i) for all 7, for some polynomial f() 
of degree at most t where t < n/3 is maximal number of corrupted players. At 
some later time, P is supposed to reveal the polynomial f() he used, and each P; 
reveals a;. The polynomial is accepted if values of at most t players disagree with 
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f() (we cannot demand fewer disagreements, since we may get t of them even if 
P was honest). 


1. We assume here (for simplicity) that n = 3t + 1. Suppose the adversary 
corrupts P. Show how to choose two different polynomials f(), f’() of degree 
at most t and values a; for P to send, such that P can later reveal and have 
accepted both f() and f’(). 

2. Suppose for a moment that we would settle for computational security, and 
that P must send to P;, not only a;, but also his digital signature s; on a;. We 
assume that we can force P to send a valid signature even if he is corrupt. We 
can now demand that to be accepted, a polynomial must be consistent with 
all revealed and properly signed shares. Show that now, the adversary cannot 
have two different polynomials accepted, even if up to t < n/3 players may 
be corrupted before the polynomial is to be revealed. Hint: First argue that 
the adversary must corrupt P before the a;,s; are sent out (this is rather 
trivial). Then, assume /() is later successfully revealed and let Cy be the 
set that is corrupted when f; is revealed. Assume the adversary could also 
choose to let P reveal f2(), in which case C2 is the corrupted set. Note that 
since the adversary is adaptive, you cannot assume that C, = C2. But you 
can still use the players outside C, C2 to argue that fi() = fo(). 

3. (Optional) Does the security proved above still hold if t > n/3? why or why 
not? 


To prevent the problems outline above, we must find a mechanism to ensure 
that the shares of all uncorrupted players after committing consistently determine 
a polynomial f of degree at most t, without harming privacy of course. 


Before we do so, it is important to note that n shares out of which at most 
t are corrupted still uniquely determine the committed value a, even if we don’t 
know which ¢ of them are. 

Concretely, define the shares 


sf = (f(1),-.-,f(m)), 

and let e € K” be an arbitrary “error vector” subject to 

WH (e) < t, 
where wy denotes the Hamming-weight of a vector (i.e., the number of its non-zero 
coordinates), and define 

S=s+e. 
Then a is uniquely defined by s. 

In fact, more is true, since the entire polynomial f is. This is easy to see from 

Lagrange Interpolation and the fact that t < n/3. 


Namely, suppose that s can also be “explained” as originating from some 
other polynomial g of degree at most t together with some other error vector u 
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with Hamming-weight at most ¢. In other words, suppose that 
Sfte=S,+u. 


Since wy(e),wa(u) < ¢ and t < n/3, there are at > n — 2t > t positions 
in which the coordinates of both are simultaneously zero. Thus, for more than t 
values of i we have 


F(a) = g(). 
Since both polynomials have degree at most t, this means that 
f=9. 


Assuming that we have established the mechanism for ensuring correct shar- 
ings as discussed above, there is a simple open protocol for this commitment 
scheme. 

Open Protocol (Version I): 


1. Each player P; simply reveals his share s; to all other players P;. 

2. Each of them individually recovers the committed value a that is uniquely 
defined by them. This can be done by exhaustive search, or by the efficient 
method described below. 


Note that broadcast is not required here. 

We now show one particular method to efficiently recover the committed 
value. In fact, we’ll recover the entire polynomial f. ° 

Write 

8 = (81,...,8n). 

The method “interpolates” the points (7, 8;) by a bi-variate polynomial Q of a 
special form (which from a computational view comes down to solving a system of 
linear equations), and “extracts” the polynomial f from Q in a very simple way. 

Concretely, let Q(X, Y) € K[X,Y], Q 4 0 be any polynomial such that, for 


t=1...n, 


and such that 
Q(X, Y) = fo(X) — A(X) -Y, 

for some fo(X) € K[X] of degree at most 2t and some f1(X) € K[X] of degree at 
most ft. 

Then we have that fo(X) 

0 
i= GeO 

Clearly, the conditions on Q can be described in terms of a linear system of 
equations with Q’s coefficients as the unknowns. 

To recover f, we simply select an arbitrary solution to this system, which 
is a computationally efficient task, define the polynomial Q by the coefficients 





3What we show is actually the Berlekamp-Welch decoder for Reed-Solomon error-correcting 
codes. 
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thus found, extract fo, f; from it by appropriately ordering its terms, and finally 
perform the division of the two, which is again a computationally efficient task. 

We now show correctness of this algorithm. First, we verify that this system 
is solvable. For this purpose, we may assume that we are given the polynomial f 
and the positions A in which an error is made (thus, A is a subset of the corrupted 
players). Define 

k(X) = [[(X 3). 
ic A 
Note that its degree is at most t. Then 
Q(X, Y) = K(X): f(X) — K(X) -¥ 


satisfies the requirements for Q, as is verified by simple substitution. 

It is now only left to show that whenever some polynomial Q satisfies these 
requirements, then indeed f(X) = fo(X)/fi(X). 

To this end, define 


Q'(X) = Q(X, f(X)) € K[X], 


and note that its degree is at most 2t. 
If i Z A, then (i, s;) = (4, 8;). Thus, for such 3, 


Since t < n/3, 
n—|A| >n—t> 2t. 


We conclude that the number of zeroes of Q(X) exceeds its degree, and that 
it must be the zero polynomial. Therefore, 


fo-fi- f =9, 
which establishes the claim (note that f; 4 0 since Q # 0). 


Below we describe an alternative open protocol that is less efficient in that it 
uses the broadcast primitive. The advantage, however, is that it avoids the above 
“error correction algorithm” which depends so much on the fact that Shamir’s 
scheme is the underlying secret sharing scheme. In fact, it can be easily adapted 
to a much wider class of commitment schemes, namely those based on general 
linear secret sharing schemes. 


Open Protocol (Version IT): 


1. D broadcasts the polynomial f. 
Furthermore, each player P; broadcasts his share. 
2. Each player decides for himself by the following rule. 

If all, except for possibly < t, shares are consistent with the broadcast 
polynomial and its degree is indeed at most t, the opening is accepted. The 
opened value is a = f(0). 

Else, the opening is rejected. 
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This works for essentially the same reasons as used before. 


Note that both open protocols allow for private opening of a commitment to 
a designated player P;. This means that only P; learns the committed value a. 
This is achieved by simply requiring that all information is privately sent to P;, 
and it works because of the privacy of the commit protocol (as shown later) and 
because the open protocol only depends on local decisions made by the players. 


We now describe the commit protocol. Let F(X,Y) € K[X,Y] be asymmetric 
polynomial of degree at most t in both variables, i.e., 


t 
BAY) => Ga Xlys 
k,l=0 
and 
F(X,Y) = F(Y,X), 


which is of course equivalent to cy; = ciz for all 1 < k,l < t. 


We define 
F(X) = F(X,0), 
f(0) =a, 
and, for i = 1..n, 
f(a) = 8 
Note that 
deg f < t. 


We call f the real sharing polynomial, a the committed value, and s; a real 
share. 
We also define, for 7,7 =1...n, 


and 


fi(Z) = sij- 
Note that 
deg fi < t. 


We call f; a verification polynomial, and s;; a verification share. 
By symmetry we have 
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Commit Protocol: 


1. 


To commit to a € K, D chooses a random, symmetric bivariate polynomial 
F (X,Y) of degree at most t in both variables, such that 


F(0,0) =a. 


D sends the verification polynomial f; (i-e., its t+1 coefficients) privately 
to P; for each i. 

P; sets s; = f;(0), his real share. 

For all 2 > 7, P; sends the verification share s;; privately to P;. 
It must hold that 
Sij = Sji- 
If P; finds that 
Sij x Siis 
he broadcasts a complaint. 

In response to each such complaint (if any), D must broadcast the cor- 
rect value s;;. 

If P; finds that the broadcast value differs from s;;, he knows that D is 
corrupt and broadcasts an accusation against D, and halts. 

A similar rule applies to P; if he finds that the broadcast value differs 
from $;;. 

For all players P; who accused D in the previous step (if any), D must now 
broadcast the correct verification polynomial f;. 

Each player P; that is “still in the game” verifies each of the broadcast ver- 
ification polynomials f; (if any) against his own verification polynomial f;, 
by checking that, for each of those, 84; = 5j;. 

If there is any inequality, P; knows that D is corrupt, and broadcasts 
an accusation against D and halts. 

If there are < t accusations in total, D is accepted. 

In this case, each player P; who accused D in Step 5, replaces the 
verification polynomial received in Step 1 by the polynomial f; broadcast in 
Step 4, and defines s; = f;(0) as his real share. 

All others stick to their real shares as defined from the verification poly- 
nomials received in in Step 1. 

If there are > t accusations in total, the dealer is deemed corrupt. 


We sketch a proof that this commitment scheme works. For simplicity we 


assume that the adversary is static. 


Honest D Case: It is immediate, by inspection of the protocol, that honest players 
never accuse an honest D. Therefore, there are at most t accusations and the 
commit protocol is always accepted. 


In particular, each honest player P; accepts s; = f(i) as defined in step 1 as 


his real share. This means that in the open protocol a = f(0) is accepted as the 
committed value. 
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For privacy, i.e., the adversary does not learn the committed value a, note 
first that steps 2-4 of the commit protocol are designed such that the adversary 
learns nothing he was not already told in step 1. 

Indeed, the only information that becomes available to the adversary after- 
wards, is what is broadcast by the dealer. This is either a verification share s;; 
where P; is corrupt or P; is corrupt, or a verification polynomial f; of a corrupt 
player P;. All of this is already implied by the information the adversary received 
in step 1. 

Therefore, it is sufficient to argue that the information in step 1 does not 
reveal a to the adversary. 

Denote by A the set of corrupted players, with |A| < ¢. It is sufficient to show 
that for each guess a’ at a, there is the same number of appropriate polynomials 
F'(X,Y) consistent with the information received by the adversary in step 1. 

By appropriate we mean that F’(X,Y) should be symmetric, of degree at 
most ¢ in both variables, and for all i € A we must have f/(X) = fi(X). 

Consider the polynomial 


—1 
h(X) = [[(—-X +1) € KX] 
i 
ic A 
Note that its degree is at most t, h(0) = 1 and h(i) = 0 for alli € A. 
Now define 
Z(X,Y) = A(X) -A(Y) € K[X,Y]. 
Note that Z(X,Y) is symmetric and of degree at most ¢ in both variables, and 
that it has the further property that 7(0,0) = 1 and z;(X) = Z(X,2) = 0 for all 
te A. 
If D in reality used the polynomial F(X,Y), then for all possible a’, the 
information held by the adversary is clearly also consistent with the polynomial 


F'(X,Y) = F(X,Y) + (a’ —a)-Z(X,Y). 
Indeed, it is symmetric, of degree at most ¢ in both variables, and, for i € A, 
F(X) = fi(X) + (a — a’) - 2i(X) = fi(X), 
and 
f'(0) = F’(0,0) = F(0,0) + (a’ — a) - Z(0,0) =a+(a-a’) =a’. 


This construction immediately gives a one-to-one correspondence between 
the consistent polynomials for committed value a and those for a’. Thus all values 
are equally likely from the point of view of the adversary. 


Corrupt D Case: Let B denote the set of honest players, and let s;, i € B, be the 
real shares as defined at the end of the protocol. In other words, s; = f;(0), where 
fi; is the verification polynomial as defined at the end of the protocol. 

We have to show that if the protocol was accepted, then there exists a poly- 
nomial g(X) € K[X] such that its degree is at most t and g(i) = s; for alli € B. 
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It is important to realize that we have to argue this from the acceptance 
assumption alone; we cannot make any apriori assumptions on how a corrupt D 
computes the various pieces of information. 

Write C' for the set of honest players that did not accuse D at any point. 
Note that 


|C| > n — #Accusations — #Corruptions > n — 2t > t. 


Furthermore, there is consistency between the players in C on the one hand, 
and the players in B on the other hand. Namely, for all P; € C, P; € B, it follows 
from the acceptance assumption that 
where the verification polynomials are defined as at end of the protocol. 

Indeed, let P; € C be arbitrary and let P; € B be an arbitrary honest player 
who did not accuse the dealer before step 5. Then their verification polynomials 
fi, f; as defined at the end are the ones given in step 1. If it were so that fi(j) 4 
f; (2), then at least one of the two would have accused D in step 3. 

On the other hand, if P; is a player who accused D in step 3, and if the 
broadcast polynomial f; is not consistent with P,’s verification polynomial, P; 
would have accused D in step 5. 

Let r;,7 € C, be the coefficients of the recombination vector for C’. Define 


9X) = Sori: fi(X). 
ieC 
Note that its degree is at most f. 
We now only have to verify that for all 7 € B, we have s; = g(j). 
Indeed, we have that 


G7) = A=. PO) = FOS ss 
icC icC 

The first equality follows by definition of g(X), the second by the observed 
consistency, the third by Lagrange interpolation and the fact that |C| > ¢t and that 
the degree of g is at most t, and the final equality follows by definition of the real 
shares at the end of the protocol. 

This concludes the analysis of the commit protocol. Note that both the com- 
mit and the open protocol consume a constant number of rounds of communication. 


So this commitment scheme works with no probability of error, if t < n/3. If 
instead we have t < n/2, the commit protocol can be easily adapted so that the 
proof that all honest players have consistent shares still goes through; basically, 
the process of accusations with subsequent broadcast of verification polynomials 
as in step 5 will be repeated until there are no new accusations (hence the commit 
protocol may no longer be constant round). 

However, the proof that the opening always succeeds fails. The problem is 
that since honest players cannot prove that the shares they claim to have received 
are genuine, we have to accept up to n/2 complaints in the opening phase, and this 
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will allow a corrupt D to open a commitment any way he wants. Clearly, if D could 
digitally sign his shares, then we would not have to accept any complaints and we 
would be in business again. Of course, digital signatures require computational 
assumptions, which we do not want to make in this scenario. However, there are 
ways to make unconditionally secure authentication schemes which ensure the 
same functionality (except with negligibly small error probability, see [12]). 

Finally, this commitment scheme generalizes nicely to a scenario in which the 
underlying secret sharing scheme is not Shamir’s but in fact a general linear secret 
sharing scheme (see later for more details on this). 


We now show a Commitment Multiplication Protocol (CMP) that works with- 
out error if t << n/3. 


CMP: 


1. Inputs are commitments [a];, [b];, [c]; where P; claims that ab =. 
First P; performs CSP on commitments [a];, [b]; to get committed shares 
[aa|i, waey [an] n and [bi]i, deo y [Dr] n- 
2. P; computes the polynomial g. = fa: fy, where fa (fp) is the polynomial used 
for sharing a (b) in the previous step. 
He commits to the coefficients of ge. 
Note that there is no need to commit to the degree 0 coefficient, since 
this should be c, which is already committed to. 
3. Define c; = ge(i). 
From the commitments made so far and [c];, the players can compute 


(by linear operations) commitments [c1];,...,[Cn]i, where of course P, claims 
that aj;b; =c;, forl<j<n. 
4, For j = 1,...,n, commitment [c,]; is opened privately to P;, i.e. the shares 


needed to open it are sent to P; (instead of being broadcast). 
5. If the value revealed this way is not a;b;, P; broadcasts a complaint and 

opens (his own) commitments [a,];, [bj];. In response, P; must open [c;]; and 

is disqualified if ajb; A c;. 

We argue the correctness of this protocol. 

Clearly, no matter how a possible adversary behaves, there is a polynomial 
ge of degree at most 2t such that c = g.(0) and each c; = g-(J). 

Consider the polynomial f, - fy, which is of degree at most 2¢ as well. 

Suppose that c 4 ab. Thus g. 4 fa: fy. By Lagrange Interpolation, it follows 
that for at most 2¢ values of 7 we have g-(j) = fa(j)- fo(j), or equivalently, 
C= ajb;. 

Thus at least n — 2t players P; have cj; # a;b;, which is at least one more 
than the maximum number t of corrupted players (since t < n/3). 

Therefore, at least one honest player will complain, and the prover is exposed 
in the last step of the protocol. 
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CSP: 


Although CSP can be bootstrapped in a generic fashion from homomorphic 
commitment and CTP using the Generic CSP Protocol given earlier, we now argue 
that in the information theoretic scenario with t < n/3, there is a much simpler 
and more efficient solution: a slightly more refined analysis shows that the commit 
protocol we presently earlier is essentially already a CSP! 


Consider an execution of the commit protocol, assuming D is honest. It is 
immediate that, for each player P; (honest or corrupt!), there exists a commitment 
[s;]; to his share s; in the value a that D is committed to via [a] p. The polynomial 
underlying [s;]; is of course the verification polynomial f;(X) and each honest 
player P; obtains f;(j) as f;(#). 

Therefore, if each honest player holds on to his verification polynomial for 
later use, each player P; is committed to his share s; in the value a via [s;];. 

Apart from handling the corrupt D case, the only thing to be settled is that, 
by definition, CSP takes as input a commitment [a]p. This, however, can easily 
be “imported” into the protocol: D knows the polynomial f that underlies [a] p, 
and the players know their shares in a. We simply modify the commit protocol by 
requiring that D chooses this particular f as the real sharing polynomial. Also, 
upon receiving his verification polynomial in the first step of the commit protocol, 
each player checks that his real share is equal to the share in a he already had as 
part of the input. If this is not so, he broadcasts an accusation. If there are at most 
t accusations, the commit protocol continues as before. Else, it is aborted, and D 
is deemed corrupt. It is easy to see that this works; if D is honest it clearly does, 
and if D is corrupt and uses a different real sharing polynomial, then, by similar 
arguments as used before, there are more than ¢t accusations from honest players. 


As for the case of a possibly corrupt D, the discussion above shows that it 
is sufficient to prove the following. If the commit protocol is accepted, then there 
exists a unique symmetric bi-variate polynomial G(X,Y) € K[X,Y], with the 
degrees in X as well as Y at most ¢, such that for an honest player P;, f;(X) = 
G(X,i) is the verification polynomial held by him at the end of the protocol. In 
other words, if the protocol is accepted, then, regardless whether the dealer is 
honest or not, the information held by the honest players is “consistent with an 
honest D.” 

We have to justify the claim above from the acceptance assumption only; we 
cannot make any a priori assumptions about how a possibly corrupt D computes 
the various pieces of information. 


Let C denote the subset of the honest players B that do not accuse D at any 
point. As we have seen, acceptance implies |C| > t+ 1 as well as “consistency,” 
ie., for all i € C and for all j € B, fi(j) = f;(i). Without loss of generality, we 
now assume that |C| =t+ 1. 

Let 6;(X) € K[X] denote the polynomial of degree t such that for all 7,7 € C, 


6;(j) =1ifi=j and 6,(j) =0 ifs Fj, 
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or, equivalently, 
xX-i 
b(X)= [] = 7 
GEC GAA 
Recall that the Lagrange Interpolation Theorem may be phrased as follows. 
If h(X) € K[X] has degree at most t, then h(X) = Doje¢ h(i)di(X). 
Consider the polynomial 
G(X,Y) =S° fi(X)5i(Y) € K[X,¥]. 
icC 





This is clearly the unique polynomial in K[X,Y] whose degree in Y is at 
most t and for which G(X,7) = f;(X) for alli € C. This follows from Lagrange 
Interpolation applied over K(X), i.e, the fraction field of K[X], rather than over 
Kk. Note also that its degree in X is at most t. 

We now verify that G(X,Y) is symmetric: 


G(X,Y) = S° fi(X)5i(¥) = SO | SS fis) 5;(X) | 6:(Y) 


1EC tEeC \JGEC 
= SO AAI(X)CY) + DY f5) (6X) 5j(Y) + 6,(X)5i(¥)), 
iEC t,JEC IAG 


where the last equality follows from consistency. 
Finally, for all 7 € B, we have that 


F(X) =o FSX) => fi(V)4i(X) 


1EC 1EC 
= 5° GU, 1)5:(X) = S> Gli, 7)5;(X) = G(X, 9), 
1EC iEC 


as desired. 


4.4, Formal Proof for the Foo, Realization 


We have not given a full formal proof that the Foom realization we presented 
really implements Foom securely according to the definition. For this, one needs 
to present a simulator and prove that it acts as it should according to the definition. 
We will not do this in detail here, but we will give the main ideas one needs to 
build such a simulator — basically, one needs the following two observations: 


e If player P; is honest and commits to some value 2x;, then since the commit- 
ment is based on secret sharing, this only results in the adversary seeing an 
unqualified set of shares, insufficient to determine x; (we argued that any- 
thing else the adversary sees follows from these shares). The set of shares is 
easy to simulate even if x; is not known, e.g., by secret sharing an arbitrary 
value and extracting shares for the currently corrupted players. This simu- 
lation is perfect because our analysis above shows that an unqualified set of 
shares have the same distribution regardless of the value of the secret. 
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If the (adaptive) adversary corrupts P; later, it expects to see all values 
related to the commitment. But then the simulator can corrupt P; in the ideal 
process and learn the value x; that was committed to. It can then easily make 
a full set of shares that are consistent with x; and show to the adversary. This 
can be done by solving a set of linear equations, since each share is a linear 
function of x; and randomness chosen by the committer. 

e If P, is corrupt already when it is supposed to commit to x;, the adversary 
decides all messages that P; should send, and the simulator sees all these 
messages. As we discussed, either the commitment is rejected by the honest 
players and P; is disqualified, or the messages sent by P; determine uniquely 
a value x. So then the simulator can in the ideal process send x; on behalf 
of P,;. 


5. The Cryptographic Scenario 


We have now seen how to solve the MPC problem in the i.t. scenario. Handling the 
cryptographic case can be done in various ways, each of which can be thought of as 
different ways of adapting the information theoretic solution to the cryptographic 
scenario. 


5.1. Using Encryption to Implement the Channels 


A very natural way to adapt the information theoretic solution is the following: 
since the i.t. protocol works assuming perfect channels connecting every pair of 
players, we could simply run the information theoretically secure protocol, but 
implement the channels using encryption, say by encrypting each message under 
the public key of the receiver. Intuitively, if the adversary is bounded and cannot 
break the encryption, he is in a situation no better than in the i.t. scenario, and 
security should follow from security of the information theoretic protocol. 

This approach can be formalized by thinking of the i.t. scenario as being 
the cryptographic scenario extended with an ideal functionality that provides the 
perfect channels, i.e., it will accept from any player a message intended for another 
player, and will give the message to the receiver without releasing any information 
to the adversary, other than the length of the message. If a given method for 
encryption can be shown to securely realize this functionality, the result we wanted 
follows directly from the composition theorem. 

For a static adversary, standard semantically secure encryption provides a 
secure realization of this communication functionality, whereas for an adaptive 
adversary, one needs a strong property known as non-committing encryption [9]. 
The reason is as follows: suppose player P; has not yet been corrupted. Then the 
adversary of course does not know his input values, but it has seen encryptions 
of them. The simulator doesn’t know the inputs either, so it must make fake en- 
cryptions with some arbitrary content to simulate the actions of P;. This is all 
fine for the time being, but if the adversary corrupts P; later, then the simulator 
gets an input for P;, and must produce a good simulation of P,’s entire history 
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to show to the adversary, and this must be consistent with this input and what 
the adversary already knows. Now the simulator is stuck: it cannot open its sim- 
ulated encryptions the right way. Non-committing encryption solves exactly this 
problem by allowing the simulator to create “fake” encryptions that can later be 
convincingly claimed to contain any desired value. 

Both semantically secure encryption and non-committing encryption can be 
implemented based on any family of trapdoor one-way permutations, so this shows 
that these general complexity assumptions are sufficient for general cryptographic 
MPC. More efficient encryption schemes exist based on specific assumptions such 
as hardness of factoring. However, known implementations of non-committing en- 
cryption are significantly slower, typically by a factor of k where k is the security 
parameter. 


5.2. Cryptographic Implementations of Higher-Level Functionalities 


Another approach is to use the fact that the general actively secure solution is 
really a general high-level protocol that makes use of the Foom functionality to 
reach its goal. 

Therefore, a potentially more efficient solution can be obtained if one can 
make a cryptographically secure implementation of Foom, aS well as the commu- 
nication functionality. 

If the adversary is static, we can use, e.g., the commitments from [11] based 
on q-one-way homomorphisms, which exists, e.g. if RSA is hard to invert or if the 
decisional Diffie-Hellman problem in some prime order group is hard. We then 
require that the field over which we compute is GF(q). A simple example is if we 
have primes p,q, where g|p— 1 and g,h,y are elements in Z,, of order q chosen as 
public key by player P;. Then [a]; is of form (g", y*h"), i.e. a Diffie Hellman (El 
Gamal) encryption of y* under public key g,h. In [11], protocols are shown for 
proving efficiently in zero-knowledge that you know the contents of a commitment, 
and that two commitments contains the same value, even if they were done with 
respect to different public keys. It is trivial to derive a CTP from this: P; privately 
reveals the contents and random bits for [a]; to P; (by sending them encrypted 
under P,’s public key). If this is not correct, P; complains, otherwise he makes 
[a]; and proves it contains the same value as [a];. Finally, [11] also show a CMP 
protocol. We note that, in order to be able to do a simulation-based proof of 
security of this Foom implementation, each player must give zero-knowledge, proof 
of knowledge of his secret key initially, as well as prove that he knows the contents 
of each commitment he makes. 

If the adversary is adaptive, the above technique will not work, for the same 
reasons as explained in the previous subsection. It may seem natural to then go to 
commitments and encryption with full adaptive security, but this means we need 
to use non-committing encryption and so we will loose efficiency. However, under 
specific number theoretic assumptions, it is possible to build adaptively secure 
protocols using a completely different approach based on homomorphic public key 
encryption, without loosing efficiency compared to the static security case[17]. 
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6. Protocols Secure for General Adversary Structures 


It is relatively straightforward to use the techniques we have seen to construct 
protocols secure against general adversaries, i.e., where the adversary’s corruption 
capabilities are not described only by a threshold ¢ on the number of players that 
can be corrupt, but by a general adversary structure, as defined earlier. 

What we have seen so far can be thought of as a way to build secure MPC 
protocols from Shamir’s secret sharing scheme. The idea is now to replace Shamir’s 
scheme by something more general, but otherwise use essentially the same high- 
level protocol. 

To see how such a more general scheme could work, observe that the eval- 
uation of shares in Shamir’s scheme can be described in an alternative way. If 
the polynomial used is f(z) = s+ a;a +---+ a,x", we can think of the coef- 
ficients (s,a1,...,@:) as being arranged in a column vector a. Evaluating f in 
points 1,2,..,n is now equivalent to multiplying the vector by a Van der Monde 
matrix M, with rows of form (i°,i1,...,7°). We may think of the scheme as being 
defined by this fixed matrix, and by the rule that each player is assigned 1 row of 
the matrix, and gets as his share the coordinate of Ma corresponding to his row. 

It is now immediate to think of generalizations of this: to other matrices 
than Van der Monde, and to cases where players can have more than one row 
assigned to them. This leads to general linear secret sharing schemes, also known 
as Monotone Span Programs (MSP). The term “linear” is motivated by the fact 
any such scheme has the same property as Shamir’s scheme, that sharing two 
secrets s,s’ and adding corresponding shares of s and s’, we obtain shares of 
s +s’. The protocol constructions we have seen have primarily used this linearity 
property, so this is why it makes sense to try to plug in MSP’s instead of Shamir’s 
scheme. There are, however, several technical difficulties to sort out along the way, 
primarily because the method we used to do secure multiplication only generalizes 
to MSP’s with a certain special property, so called multiplicative MSP’s. Not all 
MSP’s are multiplicative, but it turns that any MSP can be used to construct a 
new one that is indeed multiplicative. 

Furthermore, it turns out that for any adversary structure, there exists an 
MSP-based secret sharing scheme for which the unqualified sets are exactly those 
in the adversary structure. Therefore, these ideas lead to MPC protocols for any 
adversary structure where MPC is possible at all. 

For details on how to use MPS’s to do MPC, see [13]. 


Appendix A. Formal Details of the General Security Model for 
Protocols 


In this section we propose a notion of universally composable security of synchro- 
nous protocols. 
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A.1. The Real-Life Execution 


A real-life protocol 7 consists of n parties P,,...,P,, all PPT interactive Turing 
machines (ITMs). The execution of a protocol takes place in the presence of an 
environment Z, also a PPT ITM, which supplies inputs to and receives outputs 
from the parties. Following Definition 4 from [8] Z also models the adversary of the 
protocol, and so schedules the activation of the parties, corrupts parties adaptively 
and controls corrupted parties. We assume that the parties are connected by open 
authenticated channels. 

To simplify notation we assume that in each round r each party P; sends a 
message m;,;,, to each party P;, including itself. The message m;,;,- can be thought 
of as the state of P; after round r. To further simplify the notation we assume that 
in each round Z inputs a value 2;,, to P; and receives an output y;,-. A protocol 
not following this convention can easily be patched by introducing some dummy 
value € = not a value. Using this convention we can write the r’th activation 
of P; as (Misr; sees Mins Yi,r) = P,(k, M1 ijr—1y +++ ™Mn,i,r—15 Vi,rs ri), where k is 
the security parameter and r; is the random bits used by P;. We assume that the 
parties cannot reliably erase their state. To model this we give r; to Z when P; is 
corrupted. Since Z knows all the inputs of P; this will allow Z to reconstruct the 
entire execution history of P;. In detail the real-life execution proceeds as follows. 


Init: The input to an execution is the security parameter k, the random bits 
r1,---,1 € {0,1}* used by the parties and an auxiliary input z € {0,1}* for 
Z. 

Initialize the round counter r = 0 and initialize the set of corrupted 
parties C = @. In the following let H = {1,...,n}\C. 

Let mi,j,0 = € for i, 7 € [nl]. 

Input k and z to Z and activate Z. 

Environment activation: When Z is activated it outputs one of the following 
commands: (activate 1,%;7,{M;i,r-1}j;ec) for i € H or (corrupt 2) for 
i € H or (end round) or (guess b) for b € {0, 1}. 

We require that no two (activate i,...) commands for the same i are 
issued without being separated by an (end round) command and we require 
that between two (end round) commands an (activate i,...) command was 
issued for 1 € H, where H denotes the value of H when the second of the 
(end round) commands were issued. 

When a (guess }) command is given the execution stops. The other 
commands are handled as described below. After the command is handled 
the environment is activated again. 

Party activation: Values {m,:,r-1}j¢H were defined in the previous round; Add 
these to {mj,i,r-1}j;ec from the environment and compute 


iA iiaes Desire len) = 1 ig nia ea) Medias Pate) « 


Then give {Mi,j,r}jeln]\{a to Z. 
Corrupt: Give r; to Z. Set C=CU {i}. 
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End round: Give the values {y;,-}ie# defined in Party activation to Z and set 
r=r+l. 
The result of the execution is the bit b output by Z. We are going to denote 
this bit by REAL,,z(k,1r1,...,7n,2). This defines a random variable REAL, ,2(k, z), 
where we take the r; to be uniformly random, and in turn defines a Boolean 
distribution ensemble REAL,,z = {REAL,,z(k, Z)}ken,ze{0,1}*- 


A.2. The Ideal Process 


To define the security of a protocol an ideal functionality F is specified. The ideal 
functionality isa PPT ITM with n input tapes and n output tapes which we think 
of as being connected to n parties. The ideal functionality defines the desired input- 
output behaviour of the protocol and defines the desired secrecy by keeping the 
inputs secret. In the execution of an ideal functionality in an environment Z, the 
inputs to P; from Z is simply handed to F and the outputs from F to P; is handed 
to Z. To be able to specify protocols which leak some information about the inputs 
of the parties F has a special tape. To model protocols which are allowed to leak 
some specified information about the inputs of the parties the functionality simply 
outputs this information on the special tape. An example could be the following 
functionality modelling secure communication: It is connected to two parties S' 
and R. If R inputs some value m € {0,1}*, then |m| is output on the special tape 
and m is output to R. 

The ideal functionality also has the special input tape on which it receives two 
kinds of messages. When a party P; is corrupted it receives the input (corrupt ¢) 
in response to which it might produce some output which is written on the special 
output tape. This behaviour can be used when modelling protocols which are 
allowed to leak a particular information when a given party is corrupted. It can 
also receive the input (activate v) on the special tape in response to which it 
writes a value on the output tape for each party. The rules of the ideal process 
guarantees that F will have received exactly one input for each honest party 
between consecutive (activate v) commands. The value v can be thought of as 
the inputs to F from the corrupted parties, but can be interpreted by F arbitrarily, 
i.e., according to its specification. 

We then say that a protocol 7 securely realizes an ideal functionality F if the 
protocol has the same input-output behaviour as the functionality (this captures 
correctness) and all the communication of the protocol can be simulated given only 
the inputs and the outputs of the corrupted parties and the values on the special 
tape of F (this captures secrecy of the honest parties’ inputs). When F is executed 
in some environment Z the environment knows the inputs and the outputs of 
all parties, so Z cannot be responsible of simulating. We therefore introduce a 
so-called interface or simulator S which is responsible for the simulation. The 
interface is put between the environment Z and the ideal-process. The job of S is 
then to simulate a real-life execution by giving the environment correctly looking 
responses to the commands it issues. In doing this the interface sees the outputs 
from F on the special output tape (to model leaked information) and can specify 
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the value v to F on the special input tape (to specify inputs of the corrupted 
parties or e.g. non-deterministic behaviour, all depending on how F is defined to 
interpret v). We note that S does not see the messages sent between F and Z for 
honest parties (which is exactly the purpose of introducing S). In detail the ideal 
process proceeds as follows. 


Init: The input to an ideal process is the security parameter k, the random bits 
rg and rg used by F and S and an auxiliary input z € {0,1}* for Z. 
Initialize the round counter r = 0 and initialize the set of corrupted 
parties C = 0). 
Provide S with rs, provide F with rz and give k and z to Z and activate 
Z. 

Environment activation: Z is defined exactly as in the real-word, but now com- 
mands are handled by S, as described below. 

Party activation: The values {m,,;,r-1}iec are input to S and the value 2;,, is 
input to F on the input tape for P; and F is run and outputs some value 
vg on the special tape. This value is given to S which is then required to 
compute some values {Mj,j,r}je[n]\{i} and return these to Z. 

Corrupt: When Z corrupts P;, S is given the values x; 0, yi,o, Vi,1,... exchanged 
between Z and F for P;. Furthermore (corrupt 7) is input to F in response 
to which F returns some value v¢ which is also given to S. Then S is required 
to compute some value r; and return it to Z. Set C=C U {¢}. 

End round: When a (end round) command is issued S is activated and pro- 
duces a value v. Then (activate v) is input to F which produces outputs 
{Yi,r bie fn]. The values {yi,.}icc are then handed to S and the values {yi,r}icH 
are handed to Z. Set r=r+1. 


The result of the ideal-process is the bit b output by Z. We are going 
to denote this bit by IDEALz.s,2(k,r¢,rs,z). This defines a random variable 
IDEAL? 5,2(k, z) and in turn defines a Boolean distribution ensemble IDEAL? 5,2 = 
{IDEALF,s,2(k, 2) }ken,ze{0,1}** 

Notice that the interaction of Z with the real-world and the ideal process has 
the same pattern. The goal of the interface is then to produce the values that it 
hands to Z in such a way that Z cannot distinguish whether it is observing the 
real-life execution or a simulation of it in the ideal process. Therefore the bit b 
output by Z can be thought of as a guess on which of the two it is observing. This 
gives rise to the following definition. 


Definition 2. We say that 7 t-securely realizes F if there exists an interface S such 


that for all environments Z corrupting at most t parties it holds that IDEALF,s,z x 
REAL, 2. 


Here, the notation & means that the two distributions involved are compu- 
tationally indistinguishable. 
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A.3. The Hybrid Models 


We now describe the G-hybrid model for a synchronous ideal functionality G. Ba- 
sically the G-hybrid model is the real-life model where in addition the parties have 
access to an ideal functionality G to aid them in the computation. In each round r 
party P; will receive an output ¢;,,-_1 from G from the previous round and will pro- 
duce and input s;, for G for round r. This means that the r’th activation of P; now 
is given by (Mitry---, Minis Yi,rs Sir) = Pi(k, Miyir—1y +5 Mn,i,r—15 Lins tir—13 Ti): 
In the hybrid model, still Z models the adversary. Therefore, the output from G 
on its special tape, which models public information, is given to Z, and the inputs 
to G on its special input tape, which can be thought of as modelling the inputs 
from corrupted parties, is provided by Z. In detail the hybrid execution proceeds 
as follows. 


Init: The input to an execution is the security parameter k, the random bits 
r1,---,1% © {0,1}* used by the parties, the random bits rg for G and an 
auxiliary input z € {0,1}* for Z. 

Initialize the round counter r = 0 and initialize the set of corrupted 
parties C = 0). 

Let mjij,0 = € for i,7 € [n] and let t;_1 =. 

Provide G with rg and input k and z to Z and activate Z. 

Environment activation: Z is defined exactly as in the real-word except that the 
(end round) command has the syntax (end round v) for some value v and 
that Z receives some extra values in response to the commands as described 
below. 

Party activation: Values {m,i,,-1}jeH and t;,,-1 were defined in the previous 
round. Add these to {m,i.-1}j;ec from the environment and compute 


(ia, Mins Yin sie) = PAR Mircea ty Cie CET) 


Then the value s;,, is input to G on the input tape for P; and G is run 
and produces some value vg on the special tape. Then vg is given to Z along 
with {Mi,j.r}jell\{a}- 

Corrupt: Give r; to Z along with the values s;,9, t;,0, $i,1 ... exchanged between 
P,; and G, see below in End round. Furthermore (corrupt 7) is input to G 
in response to which G returns some value vg which is also given to Z. Set 
C=CU {i}. 

End round: Give the values {y;,-}ie# defined in Party activation to Z. Further- 
more, input (activate v) to G and receive the output {ti,r}ie{nj. The values 
{tir }iec are then handed to Z and the values {t;,-}ie# are used as input for 
the honest parties in the next round. Set r=r-+1. 

The result of the hybrid execution is the bit b output by Z. We will denote 
this bit by HYBY 2 (k, T1,+++;Tn,1G,Z)- This defines a random variable HYBY 2(k, z) 
and in turn defines a Boolean distribution ensemble HYBS ze 

As for an interface S simulating a real-life execution of a protocol 7 in the 
ideal process for ideal functionality F we can define the notion of a hybrid interface 
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T simulating a hybrid execution of a hybrid protocol 7[G] in the ideal process for 
ideal functionality F. This is defined equivalently. The only difference is that an 
ideal interface T has to return more values to Z to be successful. For completeness 
we give the ideal process with a hybrid simulator in detail. 


Init: The input to an ideal process is the security parameter k, the random bits 
rg and rz used by F and T and an auxiliary input z € {0,1}* for Z. 
Initialize the round counter r = 0 and initialize the set of corrupted 
parties C = 0. 
Provide T with rz, provide F with rg and give k and z to Z and 
activate Z. 

Environment activation: Z is defined exactly as in the hybrid world, but now 
the commands are handled by 7, as described below. 

Party activation: The values {m,,,,-1}iec are input to TJ and the value 2;,, is 
input to F on the input tape for P; and F is run and outputs some value 
ug on the special tape. This value is given to T which is then required to 
compute some values {mj,j,r}je{n]\{i} and a value value vg and return these 
to Z. 

Corrupt: When Z corrupts a party T is given the values 2;,9, yi,0, Ui1,--- @X- 
changed between Z and F for P;. Furthermore (corrupt /) is input to F in 
response to which F returns some value v¢ which is also given to 7. Then T 
is required to compute some value r;, some value $; 0, ti,0, $:,1,... and some 
value vg and return it to Z. Set C=CU {i}. 

End round: When a (end round v) command is issued T is activated with input 
(end round v) and produces a value v’. Then (activate wv’) is input to F 
which produces outputs {Yi,r}ie[nj- The values {yi,r}icc are then handed to 
T which produces an output {t;,-}iec and the values {t;,,}iec and {yi,r}ien 
are handed to Z. Set r=r+1. 


Notice that the interaction of Z with the hybrid model and the ideal process 
has the same pattern. The goal of the interface T is then to produce the values 
that it hands to Z in such a way that Z cannot distinguish whether it is observing 
the hybrid execution or a simulation of it in the ideal process. 


Definition 3. We say that a t-securely realizes F in the G-hybrid model if there 
exists an hybrid interface T such that all environments Z corrupting at most t 


parties it holds that IDEALF,7,z £ HYBY 5. 


A.4. Composing Protocols 


Assume that we are given two protocols y = (P;’,...,P) for the real-life model 
and a|-] = (Pf[-],..-,P7[-]) for a hybrid model. We describe how to compose 
such protocol to obtain a real-life protocol m[y7] = (Pf[P'],...,P7[P7]), which 


is intended to be the two protocols run in lock-step while replacing the ideal 
functionality access of z[-] by calls to y. The messages send by the parties P; = 


PP] will consist of a message from each of the two protocols. For this purpose 
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we fix some bijective encoding (-,-) : {0,1}* x {0,1}* — {0,1}* which can be 
computed and inverted efficiently. 

The activation (Mi syr; sey Ninyrs Yar) = Py(k, M1 ir—1y +++ Mn ji,r—1; Vi,r; ri) 
is computed as follows. If while running P7[-] and P.’ these machines request a 
random bit, give them a fresh random bit from r;. For notational convenience we 
let r7 and r} denote the bits used by P*|-] respectively P;’. For 7 € [n] \ {} let 
(MF j p11 M5. r—1) = ™Mij,r—-1 and let ((mz wr—1? Mi de asta) = Mii,r-1- Then 


i, 

compute (Mitt arss 9 Mn,i,rs Yi,rs Bien) = Prk, ME gp eee) Uh 215 Lips ti r—15 rt) 
and then compute (m1,i,r,---,Mnji,r, tir) = PY (hy My 5 payee Mg p19 84,03 TY) 
Then for 7 € [n]\ {i} let mij.r=(MF, 55 mM} 5») and let mi.ir=((MF; 5 LO F tice) 


The following composition theorem follows directly from Lemma 2 in the 
below section. 


Theorem 3. Assume y t-securely realizes G and that m|-] t-securely realizes F in 
the G-hybrid model. Then m[y] t-securely realizes F. 


A.5. Composing Interfaces 


We now describe how to compose two interfaces. Assume that we are given a 
real-life interface S and a hybrid model interface T|-]. We now describe how to 
construct a new real-life interface T [S]. The idea behind the composition operation 
is as follows. Assume that T|-] simulates a protocol 7[G] while having access to the 
ideal functionality F, and assume that S simulates a protocol 7 while having access 
to G. We then want U/ = T[S] to simulate the protocol [7] while having access 
to F. This is done as follows. First of all / runs T[-] using U/’s access to F. This 
provides U with a simulated version of 7[G] consistent with F, which in particular 
provides it with a simulated access to G. Using the simulated access to G it then 
runs S and gets a simulated version of y consistent with G from the simulated 7[G] 
consistent with F. It then merges the values of the simulated version of 7[{G] and 
the simulated y as defined by the composition operation on protocols and obtains 
a simulated version of z[y] consistent with F. The notation used to describe the 
composition operation will reflect the above idea. The composed interface works 
as follows. 
Init: U/ receives k and random bits r. When S or T[-] request a random bit U 
gives them a random bit from r. 
Party activation: U/ receives {mi,j,r-1}iec from Z and ve from F and must 
provide outputs {mj,j,r}je[nj\{i}- This is done as follows. 
1. For i € C compute (m7 ;,1,7™)j,,-1) = Mij,r-1- 
2. Input {m7,,,-1}iec and vg to T[-] which generates values 
{mj jrdietn)\tay and vg. 
3. Input {mj ,,,1}iec and ug to S which generates values 
{mij biel ti) 
4. Output {mi,j,r} je[n]\{a}> where Migr = (ME 5 nM gy) 
Corrupt: U/ receives £40, Yi,1,Vi,1,... and ve and must provide an output rj. 
This is done as follows. 
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1. Input 2,0, yi1,%i,1,-.. and ve to T[-] which generates values r7 and 
Si,05 tis Silyees and UG. 

2. Input s;,0, ti1, 5i,1,... and ug to S which generates a value ry 

3. Outputs r; = [r7, 17]. 


End round: // is given (end round) and must produce an output for F in re- 
sponse to which it receives {y;,-}iec. To run S and T[-] as they expect this 
is done as follows. 

1. Activate S on input (end round) and receive as output a value v. 

2. Activate T[-] on input (end round v) and receive as output a value v’. 
3. Outputs v’ and receive {yr biec. 

4. Hand {yi,r}iec to T[-] and get the output {ti,}iec. 

5. Then input {t;,,}iec to S. 


Using the proof techniques from [8] it is straight forward to construct a proof 


for the following lemma. The proof contains no new ideas and have been excluded 
for that reason and to save space. 


Lemma 2. Assume that for all environments Z corrupting at most t parties, it 
holds that IDEALg_|s,z & REAL, z, and assume that for all hybrid environments Z 
corrupting at most t parties it holds that IDEALF,7,z & HYBE z, then for all envi- 


ronments Z corrupting at most t parties it holds that IDEALz 71s],z Ee REAL, {4}, 2- 


As mentioned, this lemma is essentially the composition theorem listed in 


the main text of this note. It trivially generalizes from the threshold adversaries 
assumed here to general adversary structures. 
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Foundations of Modern Cryptography 


Giovanni Di Crescenzo 


1. Introduction 


The need for cryptography has been recognized since ancient times. One of its 
main goals, private communication in the presence of adversary, is traced back to 
the ancient Roman empire, whose emperor Julius Ceasar used to communicate to 
his allies by replacing each letter in his message with the third next letter in the 
alphabet. 

Classical cryptography went on until the end of last century focusing on the 
art of designing and breaking secrecy codes. Modern cryptography has significantly 
enlarged its scope to the rigorous analysis of any system that is potentially subject 
to malicious threats and the design of solution that can guarantee the system 
to withstand such threats. As a consequence, many goals have been added to 
that of private communication in the presence of adversary, and cryptography 
has moved from an engineering art built on a number of heuristic techniques to a 
scientific discipline based on mathematically rigorous design requirements, solution 
techniques and correctness proofs. 

We present here an introduction to some basic topics in the foundation of 
modern cryptography; specifically: one-way functions, pseudo-random generators, 
pseudo-random functions and zero-knowledge protocols. 


2. One-Way Functions 


Modern cryptography is based on the existence of computational problems that 
are “efficiently” solved by intended users and that can be associated with related 
computational problems that are conjectured to be “not efficiently” solvable by 
adversaries. Then the actual execution of the cryptographic protocol by its users is 
feasible while violating its security property by an adversary is not. The notion of 
“efficiency” is formulated according to the analogue notion in complexity theory; 
that is, an algorithm is efficient if it runs in polynomial time in a security param- 
eter (typically specified by the length of its input). Consequently, the notion of 
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a computational problem being not efficiently solvable is formulated by requiring 
that no algorithm running in polynomial time can solve the problem. We note 
that these notions are “asymptotic”. In particular, a typical security requirement 
of a system may ask that a certain computational problem cannot be solved by a 
polynomial time algorithm for “sufficiently large” values of the security parameter. 

Although at first sight it is clear that some hardness assumption is required 
to prove the security of a cryptographic scheme, it is not immediately clear which 
is the best assumption. Ideally, one would like to prove the security of a crypto- 
graphic scheme by assuming that P # NP, or, at least, that BPP # NP, since one 
admits efficient computation to be augmented with probabilistic choices. However, 
such an assumption would only guarantee that a problem is not efficiently solv- 
able by an adversary in its worst case, while it could be solvable, for instance, 
in the majority of the cases (which would still be quite far from acceptable in a 
typical cryptographic application). Therefore an assumption referring to hardness 
of a problem in an average case sense seems to be needed. We do not know if 
the assumption that BPP # NP implies the existence of languages that are hard 
on average, but, regardless of that, it seems that even the latter assumption may 
not suffice. This is because in a cryptographic protocol it would be desirable that 
honest parties can feasibly run the protocol and are therefore able to generate 
instances of problems that are hard on average from the point of view of adver- 
saries. Roughly speaking, this implies the requirement of a method to efficiently 
generate hard on average instances that can be solved efficiently by whoever gener- 
ates them but inefficiently from someone else. The definition of one-way functions 
precisely satisfies this requirement, by defining, informally, functions that can be 
computed efficiently, but for which no polynomial time algorithm can invert with 
non-negligible success an image of the function computed on a randomly chosen 
input. Since their original proposal, one-way function have played a crucial role 
in the development of modern cryptography, to the point that all other crypto- 
graphic primitives and applications are studied in relationship to one-way function, 
and central questions are if a specific cryptographic primitive or protocol can be 
constructed from any one-way function (and viceversa). 

As of today, numerous primitives and protocols have been introduced in the 
literature and there exists a complex structure of relationships between them. In 
particular, many important primitives such as pseudo-random functions, pseudo- 
random generators and zero-knowledge proofs can be constructed from any one- 
way functions (and viceversa). On the other hand several other cryptographic 
protocols have been proved secure under probably stronger assumptions than the 
mere existence of one-way functions, and seem to require such stronger assump- 
tions. 


2.1. Definitions 


We start with some preliminary definitions. 
An algorithm is a Turing machine, an efficient algorithm and an adversary are 
probabilistic polynomial-time algorithms. By the expression xz < y we denote the 
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possibly random process of (1) uniformly and independently choosing element x 
from set y, or (2) uniformly and independently drawing x according to distribution 
y, or (3) setting object x equal to object y, or (4) setting object x equal to the 
output of the (possibly probabilistic) algorithm y (in which case we specify also 
the input to y). By Prob[ Ri;...;R,: E] we denote the probability of event E, 
after the ordered execution of possibly random processes R,,..., Rn. 

We define negligible functions as functions that tend to zero smaller than any 
inverse of a polynomial. 


Definition 1. A function 6 is negligible if for all positive constants c there exists 
an integer n. such that 6(n) < n~*, for alln > ne. 


Intuitively, events with a negligible probability should not be noticed by proba- 
bilistic polynomial-time algorithms when the input sizes are large enough. We now 
are ready to formally define one-way functions. 


Definition 2. A function f : {0,1}* — {0,1}* is one-way if 


1. there exists an efficient algorithm C that, on input x, returns f(x); 
2. for any efficient algorithm A, the following probability is negligible in n: 


Prob[x — {0,1}"5y — f(#);a’ — A(L",y) = f(@’) = f(a). 
We also define collections of one-way functions. 


Definition 3. A collection of functions F = {fn : 2 €N, fn: {0,1}" — {0,1}"} 
is one-way if 


1. there exists an efficient algorithm C that, on input n,x, returns fn(x), and 
if 
2. for any efficient algorithm A, the following probability is negligible in n: 
Prob[a — {0,1}"s5y — fn(x);2" — AQ", y) = fn(a") = fn(a)]. 


It is possible to prove that one-way functions exist if and only if collections of one- 
way functions exist. We note that the definition of one-way function essentially 
implies that almost all inputs to the function produce an output that is hard to 
invert. A natural relaxation of this intuition is that only a large fraction of the 
inputs produce inputs that are hard to invert. These functions are called “weak 
one-way” and will be discussed later in greater detail. 

We now recall the definition of “trapdoor” functions as one-way function with 
the additional property that there exists some information that allows its owner 
(and only her) to invert the function. 


Definition 4. A trapdoor function f : {0,1}* — {0,1}* is @ one-way function 
for which there exists an efficient algorithm E and a polynomial p such that, for 
any n, there exists a string tn such that |tn| < p(n) and for all x € {0,1}*, 


E(f(x), tr) = 2" and f(x) = f(a’). 


92 Giovanni Di Crescenzo 


Definition 5. A collection of trapdoor functions F = {fn : 2 €N, fn: {0,1}" > 
{0,1}"} ts a collection of one-way functions for which there exists an efficient 
algorithm E and a polynomial p such that, for any n, there exists a string ty such 
that |tn| < p(n) and for all x € {0,1}", E(1", fn(z),tn) = 2’ and fr(x) = fn(z’). 


We note that not all collection of one-way functions may be collections of trapdoor 
one-way functions, and, given the current state of the art, it seems unlikely that 
one can construct a collection of trapdoor functions from any collection of one-way 
functions (without making stronger hardness assumptions). 


2.2. Candidates from Number Theory 


Proving the existence of a one-way function implies a proof that P 4 NP, currently 
the biggest open question in Theoretical Computer Science. Several candidates for 
one-way functions have been provided in the literature; and many of these are to- 
day widely believed to satisfy the previous definition (where the belief is essentially 
based on the fact that many years of researches have not produced an efficient al- 
gorithm inverting such functions). Number theory has proved to be a source of 
several problems that appear to be “hard” and therefore provide good candidates 
for both collections of one-way functions and collections of trapdoor functions. 
We will consider some of these problems here. Specifically, we consider the prob- 
lems of “factoring composite integers” and “computing discrete logarithms modulo 
primes” in order to construct candidates for collections of one-way functions, and 
the problem of “computing square or higher-order roots modulo composites”, to 
construct candidates for collections of trapdoor functions. 


Factoring. We define two collection of functions based on the multiplications of 
natural numbers. First, we define the collection of functions JM, = {fln: nEN, 
fin : {0,1}" — {0,1}"}, where f1,(p,q) = x, p,q are interpreted as positive 
integers of length n/2 and x is computed as their product over the set of natural 
integers NV’. Then we define [Mz = {f2n : nEN, f2n : {0,1}" — {0,1}"}, where 
f2n(r) = x, where r is used to uniquely determine two primes p,q of length n/2 
and x is computed as their product over NV. 

We first note that the product of two positive integers can be computed in 
polynomial (in fact, quadratic) time. The problem underlying both problems of 
inverting [M, and IMo, well known as factoring, is one of the most fascinating 
in elementary number theory and most studied today in computational number 
theory and cryptography. Considerations about the hardness of computing the 
factorization of large integers are attributed, for instance, to Gauss. After numer- 
ous studies, Integer Multiplication, in its definition [141 seems a good candidate 
for a collection of “weak” one-way functions (to be formally defined later); this 
is because there is certainly a large fraction of inputs for which the function fl, 
can be efficiently inverted. Consider, as a simple example, the case in which p 
and q can be themselves factored as the product of small primes. Then a simple 
algorithm that tests divisibility can discover each single factor one at a time by 
checking many small primes. However, if this is not the case, then several research 
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effort have only produced algorithms that run in time superpolynomial in the size 
of the input, The asymptotically fastest algorithms known today are variations 
on the so-called ‘random squares algorithm’ [38], a probabilistic algorithm with 
running time L(n)¥?, for L(n) = e¥8"18h8", Specifically, various versions of 
the ‘number field sieve’ are proved, under certain assumptions, to factor integers 
in expected time 


e((e+o(1)) (log n)*/? (log log eno 


for some constant c [40, 1]. This state of affairs leads to the belief that [M2 seems 
a good candidate for a collection of one-way functions. 


Discrete Logarithm. Let p be a prime. Then the multiplicative group (Z;,-mod p), 
where Z5 = {2 : z < p,(z,p) = 1}, is cyclic; that is, it can be written as Z} = 
{g' : i=1,...,p—1}, for some generator g. We define the following collection 
of functions EXP = {fn : n EN, fn: {0,1}" — {0,1}"}, where f,(p, 9,7) = 
(a, b,c), where a = p, b= g and c= g* mod p. We can easily restrict the function 
so that p is a prime, and g is a generator of the multiplicative group Z>. 

We first remark that generating a prime p of a pre-specified length can be done 
in polynomial time due to a recent breakthrough result and so can the operation 
of exponentiation modulo a prime (that is, computing c = g* mod p), through 
repeated squaring operations. Computing a generator g of the multiplicative group 
Z, can be done in expected polynomial time as a random element of Z; can be 
tested in polynomial time and the density of generators in Z; is high. 

The problem of inverting EXP, well known as computing discrete logarithms, 
is another important problem in elementary number theory and well studied to- 
day in computational number theory and cryptography. Several efforts have been 
devoted to trying to solve this problem, the best culminating in the ‘index calculus 
algorithm’ that solves the problem in expected running time L(p)¥?. Consequently, 
EXP seems a good candidate for a collection of one-way functions. 


The RSA Function. We now introduce a candidate for a collection of trapdoor 
functions. Define the following collection of functions RSA = {fn :n€EN,fn: 
{0,1}” — {0,1}"}, where f,(N,e,x) = (a,b,c), where a = N, b =e andc= 
x* mod N. We are especially interested in the case in which N is the product of 
two primes p,q, and e is an integer coprime with ¢(N) = (p—1)(q—1). The 
trapdoor is the factorization p,q of N, and allows to invert the function. 

We first remark that generating an integer N as the product of two primes 
and a value e such that (e,¢(N)) = 1, and computing c = 2° mod N can be 
done in polynomial time. The best algorithm known for inverting RSA consists of 
factoring N, which is believed to be hard as discussed before. 


The Squaring Function. Another candidate for a collection of trapdoor functions 
is the squaring function; that is, the RSA function, for e = 2. For this function, 
one can prove that the problem of inverting the function is equivalent to factoring 
N. 
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2.3. Weak vs. Strong One-Way Functions 


We now formally define “weak” one-way functions and will also refer to (previously 
defined) one-way functions as “strong” one-way functions. Informally, weak one- 
way function represent a relaxation of one-way function as they only require that 
no efficient adversary can invert the function for at least a noticeable fraction of 
the inputs. 


Definition 6. Let p be a polynomial. A function f : {0,1}* — {0,1}* is a p-weak 
one-way function if 


1. there exists an efficient algorithm C that, on input x, returns f(a) 
2. for any efficient algorithm A, it holds that for all sufficiently large n, 


Prob[x = {0,1}"5y — f(#);a" — A(L",y) = f(a’) A f(x)] = 1/p(n). 


Similarly as before, we can define a collection of weak one-way functions. The 
following theorem was first stated in the oral presentation of [52]. 


Theorem 1. A weak one-way function exists if and only if a strong one-way func- 
tion exists. 


As one-way functions are believed to represent a very minimal notion of crypto- 
graphic hardness, this theorem seems to suggest that cryptographic hardness can 
be amplified from a low (but sufficiently noticeable) level to a high (and sufficiently 
close to the maximum possible) level. 


Proof. We start the proof by recalling the transformation from weak to strong 
one-way functions from [52]. Intuitively, the strong one-way function is the con- 
catenation of sufficiently many application of the weak one-way function. This is 
reminiscent of analogue theorems in Information Theory; interestingly, as we will 
see, the proof of this theorem is significantly harder. 

More formally, given a p-weak collection of one-way functions F = {f,:n € 
N}, where f, : {0,1}" — {0,1}", we define a collection G = {gm :m © N}, where 
Gm : {0,1}™ — {0,1}™, for m = 2n?p(n), is defined as 


Im(21, shes »Conp(n)) = (fn(x1) Oe fn(Xenp(n)))- 
We now prove that G is a collection of strong one-way functions. Assume (towards 
contradiction) that this is not the case. Then there exists an efficient adversary A 
and a polynomial q such that for infinitely many m, it holds that 
Prob [x — {0,1}; y — gm(a); 2" — A(L”,y) + Gm(2") = gm(x)] 2 1/q(m). 


If we present an efficient adversary A’ that, using A, can invert f, with probability 
at least 1 — 1/p(n) then we contradict the assumption that F is a collection of 
p-weak one-way functions. Consider the following algorithm A’. 


Input for Algorithm A’: y € {0,1}", where y = f,(), for a randomly chosen 2. 
Instructions for Algorithm A’: 
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1. repeat 4n”p(n)q(m) times: 
for i=1,...,2np(n) 
randomly choose x; € {0,1}", for j =1,...,i—1,44+1,..., 2np(n) 
compute y; = fr(z;), for j=1,...,i-—1,i+1,...,m 
if A successfully inverts (y1,..-, Yi—1,Y) Yit1s +++» Yonp(n)) then 
let (Qty iss Coppin) ) = Ayo 4 Was iy 25 Yorn) 
return: x; and halt 
2. return: ‘failure to invert’. 


We define the subset BAD C {0,1}” of x such that the probability, over the 
randomness used by A’, that in a single iteration of its repeat loop A’ returns 
fn (fn(x)) is less than 1/4np(n)q(m). 

We now show that the probability, over the randomness used by A’ and the 
random choice of x, that A’ is not successful is ‘essentially’ the probability that 
x is BAD. More precisely, we define event e(A’,x) as the event that A’ does not 
invert y = fn(x), when x is randomly chosen, and A’ is run on f,(x). Then we 
have that 


Prob[ e(A’,z)] = Prob[ e(A’,x)|xz € BAD ]- Prob[ x € BAD ] 

+Prob[ e(A’,x)|z ¢ BAD |- Prob[ « ¢ BAD | 

1-Prob[ « € BAD ] + (1 — 1/4np(n)q(m))2” M4) «1 
Prob[ « € BAD ]+e™” 

If we show that Prob[ « € BAD ] < 1/2p(n) then we have that Prob[ e(A’, x) ] < 
1/2p(n) + e~” < 1/p(n), which brings us to contradicting the assumption that f, 


is a weak one-way function. To show that Prob[ « € BAD ] < 1/2p(n), assume 
(towards contradiction) that this is not the case. Then let @ = (21,...,22np(n)) 


and define the event e(A,£) as the event that A successfully inverts ¥ = gn(Z), 
when # is uniformly chosen. Then we have that the probability of event e(A, 2) is 


IN IA 


au 


= Prob| e(A,z)| V2"? x; € BAD | - Prob | v2"?™2, € BAD 
i=1 1 


+Prob e(A,#) | A? 2, g BAD - Prob A22P) gf BAD 


I= 





< 022?)Prob| e(A,Z) | 2; € BAD ]- Prob[ 2; € BAD ] 
+Prob e(A,#) | A? 2, g BAD - Prob A222)» ¢ BAD 
< (2np(n))- ( ) ‘141: (1—1/2p(n))20?™ 


Anp(n)q(m) 


ia) 


which negates our original assumption and therefore gives us a contradiction. 














96 Giovanni Di Crescenzo 


It has been noted that Yao’s construction of a strong one-way function from a 
weak one-way function is not satisfactory as it significantly increases the size of 
the input. Perhaps surprisingly, in practical applications, such a large increase in 
the size of the input can make a supposedly hard function actually easy to invert 
for all sizes of interest. This is best illustrated with an example. Suppose a one-way 
function is used in a cryptographic protocol and the amount of resources available 
to the user evaluating the function is bounded. Specifically, assume that the user 
can only use 1024-bit input one-way functions and that such functions have been 
obtained using the above reduction by 32 parallel applications of weak one-way 
functions on 32-bit inputs. Then the running time necessary to invert the strong 
one-way function becomes 32 times the running time necessary to invert each weak 
function, which may be very small given the short input size. This example calls 
for methods to evaluate the security of reductions between one-way functions, and, 
in fact, between any two cryptographic primitives (as the same problem can be 
recast, with appropriate modifications, on other cryptographic primitives as well). 

A crucial quantity for evaluating the security of a cryptographic primitive is 
the amount of memory used by an application of the primitive, and, more specifi- 
cally, as observed in [32], the amount of private memory only. The latter is taken 
as the security parameter of an instance of the primitive. Given an instance f of a 
primitive P, we denote by A an adversary trying to “break” f, by t a polynomial 
bounding its running time, by 6 a function denoting its success probability, and 
by R, the function defined as R(n) = t(n)/d(n) for all n € N, the achievement 
ratio of A, n denoting the security parameter. 


Given two primitives Pl and P2, using n; and nz private memory, respectively, 
we say that a reduction from P1 to P2 is a pair of machines (S, A;) such that: 


1. given a description of an instance f of Pl, S returns a description of an 
instance g of P2; 

2. given an adversary Ag running in time t2(n2) who breaks g with probability 
62(m2), Az is an oracle adversary running in time t)(n1), with access to oracle 
A, who breaks f with probability 6) (n1). 


The parameters t1,61,t2,62,1,N2 play an important role into evaluating the 
strength of the reduction. Specifically, compare the achievement ratios of A, and 
Az, when both instances have the same private memory n; in general, they might 
satisfy the following inequality: 


Ri(n) < n° Ro(n°)F, 
for some constants c, a, (3. 
We say that a reduction from an instance of primitive P1 to an instance of primitive 
P2 is 
1. linear-preserving if a= 8 = 1, 


2. polynomially-preserving ifa=1landG=c>1, 
3. slight-preserving if a = B =c > 1, for some cE N. 
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A linear-preserving reduction is more desirable than a polynomially-preserving one, 
which in turn is more desirable than a slight-preserving one. The term security- 
preserving is often used in the literature for reductions that are either linear- 
preserving or polynomially-preserving. 

A crucial fact that is often used is that a sufficient condition for a reduction to 
be security-preserving is that ng = a-n1, and Ri(n) = Ro(n)°, for some constants 
a, > 1 (in other words, it is enough that the amount of private randomness used 
by primitive P2 is only a constant times that used by primitive Pl, and that the 
running times and the success probabilities associated with the adversaries are 
polynomially related). 

We note that in Yao’s construction of a strong one-way function from any 
weak one-way function the amount of randomness used by the former is not a 
constant times the amount of randomness used by the latter; in fact, it can be 
larger even by a large polynomial factor. This motivated researchers to come up 
with additional constructions that save randomness. 


Weak vs. Strong One-Way Permutations:. The construction in [25] is polynomially- 
preserving and is performed for the case of one-way permutations. Given a p(n)- 
weak collection of one-way permutations F = {fn :n €N}, where fy, : {0,1}" > 
{0,1}", define a collection of one-way permutations G = {gm :m € N}, where 
Gm : {0,1} — {0,1}™, for m = n+ O(p(n)), is defined as a repeated application 
of the following two steps: one execution of the permutation f,, on a portion of 
the input of size n, and one random step on an expander graph having vertex set 
{0,1}”". At the end the final node reached on the expander is returned in output 
together with the input portion used to choose the random steps on the expander. 
Later, in [32], additional constructions have been given for security-preserving 
reductions between weak and strong one-way permutations, some of which being 
linear-preserving. In particular, the paper [32] formalizes and uses the important 
observation that the security of a function can be parameterized by the private 
input only (rather than both private and public). 


Weak vs. Strong One-Way Regular Functions. The construction in [15] is polyno- 
mially-preserving and is performed for the case of one-way regular functions; that 
is, functions for which each image has the same number of preimages. The construc- 
tion in [15] uses pairwise independent hash functions and is obtained by iterating 
several times an atomic function. Specifically, let Hon, be the set of pairwise inde- 
pendent hash functions that can described with 4n bits. Given a p-weak collection 
of one-way functions F = {f,:n€ N}, where fy, : {0,1}" — {0,1}”, define the 
collection of functions AG = {agn : n € N}, where agn : {0,1}?" x {0,1}4" 
{0, 1}?" is defined as 


agn (4, b; hn) = (fn(b), hn(ao 6), 


for all a,b € {0,1}" and hyn € Henn, and the symbol o denotes concatenation. 
Then the final collection of functions CG = {cgn :n € N} is defined as follows. 
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Input to cgn: (a,b; ho...,he—-1), where a,b € {0,1}", ho,...,hr-1 € Hann, k = 
an/p(n). 


Instructions for cgn: 


1. Set a9 = a and bo = b. 
2. Fori=0,...,k—1, 

set (ai41, bi+1) = agn(ai, b;; hj). 
3. Output: (ax, de). 


3. Pseudo-Random Generators 


As randomness plays a vital role in several areas of computer science, such as 
cryptography, algorithms and complexity theory, pseudo-random generators are 
very often crucial tools for the use of randomness in these domains. 

Informally, by pseudo-random generators one denotes a deterministic function 
that, given as input a short string of ‘random’ bits, returns a longer string that 
‘looks random’ to an observer with certain ‘limited computational resources’. 


Real randomness. A first question one may ask is: are there really ways to generate 
random bits ? This question is currently answered by looking at some natural 
sources, such as radioactive sources, noise diodes or coins. However, these and 
similar sources may not be perfect in that they may generate either biased bits (bits 
for which the probability of 1 is different from the probability of 0) or correlated 
bits (bits for which the conditional probabilities of 0 and 1 are different). Much 
research has been devoted to the problem of turning a biased and correlated source 
into an almost random one. Dealing with bias is not hard; for instance, the well- 
known Von Neumann’s trick suggests to extract bit 0 from pairs 01 returned by the 
biased source, bit 1 from pairs 10, and discarding pairs 00 and 11. (Note that the 
resulting source has no bias since the probability of pairs 01 and 10 are identical 
for any bias.) Dealing with correlation seems harder, and several papers have been 
proposing interesting techniques that return random sources starting from sources 
with a certain predefined correlation function. All these techniques turn out to be 
very helpful in generating random bits from potentially defective natural sources. 
Therefore, from now on we will assume that there exist effective ways to generate 
random bits. 


Pseudo-random generators outside cryptography. Starting from areas different 
than cryptography, several methods for pseudo-random generation have been pro- 
posed in the past. A classical notion of pseudo-random generators [36], for instance, 
requires the strings returned by the generator to satisfy certain statistical proper- 
ties that are also satisfied by really random bits. Examples of such methods are 
linear feedback shift registers or linear congruential generators. Other methods, 
motivated by the problem of reducing the randomness required by probabilistic 
polynomial-time algorithms, only require the strings returned by the generator to 
hit some large subsets at least once with high probability, or an average number 
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of times equal to the density of the subset. Some generators with these proper- 
ties are based on pairwise independent hash functions or permutations, or random 
walks on expander graphs. Although useful for their motivating application, these 
generators are not strong enough for most cryptographic applications, for which a 
new and stronger definition of pseudo-randomness was required. 


3.1. Definitions 


Two main approaches have been used in defining cryptographically-secure pseudo- 
random generators. The first approach [6] required that it would be computation- 
ally hard to predict the next bit output by a pseudo-random generator signifi- 
cantly better than by random guessing. (Previously in [48] it had been proposed 
a similar test, based on sequences of bits rather than single bits.) Later, another 
approach was proposed in [52], requiring that no polynomial-time algorithm could 
distinguish the output of a pseudo-random generator from a random string of the 
same length. In [52] it was also proved that the two approaches are equivalent; in 
other words, a pseudo-random generator that can pass the next-bit test is also a 
pseudo-random generator that can pass all polynomial time statistical tests (and 
viceversa). 

In order to formalize this definition, we will first define the important def- 
initions of polynomial-time indistinguishability (also called computational indis- 
tinguishability) between distributions and of pseudo-random distributions. The 
definition of polynomial-time indistinguishability captures the intuition of two dis- 
tributions that cannot be tell apart from any polynomial-time statistical test. 


Definition 7. For any n, let Xn,Y, be distributions over {0,1}". We say that 
the families of distributions X = {Xn :n € N} and Y = {Y,:n © N} are 
polynomial-time indistinguishable if for any polynomial-time algorithm A and any 
polynomial p, there exists c such that for alln > c it holds that 


|Prob[u<— X,: A(u) = 1] — Prob[u<—Y,: A(u) =1]| < 1/p(n). 


We note that although in the above definition the algorithm A is given a single 
sample from either distribution X,, or distribution Y,,, it has been proved that this 
definition is equivalent to one in which A takes as input a polynomial number of 
independent samples from either distribution. 

Given the above definition, we have that a pseudo-random distribution can 
be defined in terms of polynomial-time indistinguishability with the uniform dis- 
tribution. 


Definition 8. For any n, let X,, be a distribution over {0,1}" and let U, be the 
uniform distribution over {0,1}". We say that the family of distributions X = 
{X, : n € N} is pseudo-random if it is polynomial-time indistinguishable from 
U={Un:neEN}. 


We can now formally define pseudo-random generators as functions that expand 
the input and induce pseudo-random distributions. 
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Definition 9. Let U,, denote the uniform distribution over {0,1}". A deterministic 
polynomial time computable collection of functions G = {Gn :n € N}, where 
Gr: {0,1}" — {0,1} ts a@ pseudo-random generator ifm > n and the family of 
distributions DG = {DG,:n€ N}, where DG, = {s — Un;r — Gr(s) : r}, is 


pseudo-random. 


An important tool that has been crucial for many constructions of pseudo-random 
generators is that of “hard-core bit” of a function. A hard-core bit is defined for 
one-way functions as a predicate of an input to the function; the intuition behind 
this notion is the intention to capture the entire hardness of inverting the one-way 
function in a single bit. 


Definition 10. A collection of functions F = {fn:n€EN}, where fr: {0,1}" 
{0,1}™, is a collection of boolean predicates ifm = 1 for alln EN. 


Definition 11. Let F = {f,:n © N} be a collection of functions. A collection of 
predicates B = {b,:n € N} is a hard-core bit for F if the following holds: 
1. There exists an efficient algorithm E such that E(1",x) = b,(x) for all x € 
{0,1}” 
2. The distribution (induced by B) DB ={DBn,:n€EN}, where DB, = {x — 
{0,1}” : bp (x)} is pseudo-random. 


A deterministic hard-core bit has been presented for collections of one-way func- 
tions based on discrete logarithms (the most significant bit) or squaring modulo 
composite integers (the least significant bit). It has been proved in [27] that for 
any one-way function the probabilistic predicate returning the inner product of 
the input with a random string is a hard core bit. 


Theorem 2. For any collection of one-way functions F there exists a probabilistic 
hard-core bit for F. 


3.2. Constructions 


Perhaps surprisingly, hardness (of inverting one-way functions) and pseudo-ran- 
domness (of the output of pseudo-random generators) turned out to be very 
related. A fundamental result in cryptography is the construction of a pseudo- 
random generator from any one-way function [31]. We cover here the proof of a 
simpler version of this result: that is, the special case in which the given one- 
way function is actually a one-way permutation. We divide the proof of this fact 
in two claims. The first claim shows how to construct pseudo-random generators 
that expand the input by only one bit from any one-way permutation. The sec- 
ond claim shows how to construct pseudo-random generators expanding the input 
by an arbitrary polynomial amount from the obtained pseudo-random generator 
expanding the input by a single bit. We also discuss how to construct a one-way 
function from any pseudo-random generator. 


Claim 1. If there exists a collection of one-way permutations then there exists a 
collection of pseudo-random generators G = {G;,:n€N}, where Gy, : {0,1}" > 
{0,1}"*". 
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Proof. Given a collection of one-way permutations F = {f, : n € N}, where 
fn: {0,1}” — {0,1}”, we consider the hard-core bit B = {b, :n € N} guaranteed 
by Theorem 2. We then define a collection G = {G, : n € N}, where Gy, : 
{0,1}" > {0,1}"*? is defined as Gp(x) = fn(x) 0 bn(x) for any x € {0,1}" and 
would like to prove that G is a collection of pseudo-random generators. Assume by 
contradiction that this is not the case. Then it holds that there exists an algorithm 
A and a polynomial p such that the difference 


|Prob[ « — U,;u<— G(x) : A(u) = 1] — Probl u— Un4y1: A(u) = 1] | 

is at least 1/p(n +1). We now define 

a = Prob[a-—U,: A(fn(x) 0b) =1|b= bn(az)] 

GB = Prob[a —U,: A(fn(z) 0b) =1|/b=1—-6,(2)]. 
Then we can rewrite the second term Prob[ u << Un4i : A(u) = 1 | in the above in- 
equality as Prob[ x — Un; b — {0,1}: A(fn(z) 0 6) = 1 | that is equal to (a+) /2 
after conditioning over Prob[ 6 = b,(z) | and Prob[ b= 1 — 6,(a) |. Also, we see 
that the first term Prob[ x — Un;u <— Gp(x) : A(u) = 1] in the above inequality 
is equal to a. Therefore we get that |a—(a— )/2|=|a—|/2 is > 1/p(n+1). 
We now construct an algorithm A’ that on input f,() tries to compute b,(x) and 
we show that it succeeds with probability significantly better than 1/2. 
Input for Algorithm A’: fn(x) 
Instructions for Algorithm A’: fn(x) 


1. randomly choose b € {0, 1} 
2. let d= A(fn(x) 0 b) 
3. if d= 1 then output b else output 1 — 0. 


We see that the probability Prob[« <— U, : A(fn(x)) =1] can be computed as 
a/2+(1—)/2 after conditioning over Prob[6 = b, (x) ] and Prob[b = 1 — by, (2) J. 
Finally, observe that a/2 + (1 — 8)/2 = 1/2+ (a — 8)/2 > 1/2+1/p(k +1). 














Claim 2. If there exists a collection of one-way permutations then for any polyno- 
mial p, there exists a collection of pseudo-random generators H = {Hy,:n€ N}, 
where Hn : {0,1}" > {0,1}?™, 


Proof. The construction of H can be seen as a particular iterated version of the 
construction of G in Claim 1, and, in turn uses an iterated application of F. 
Precisely, we define collection H = {H, :n € N}, where H, : {0,1}" > {0,1}?™ 
is defined as H,,(x) = bal fe (a) 0+++0bn(fn(x)) obn(x), and f* denotes the i- 
times iterated application of f, where each application takes as input the output of 
the previous one. We will prove that H is a collection of pseudo-random generators 
by using an application of the so-called ‘hybrid proof technique’ [29]. 

Assume by contradiction that H,, is not pseudo-random. Then this assump- 
tion can be written as saying that there exists a polynomial g and a probabilistic 
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polynomial time algorithm A such that for infinitely many n’s, it holds that 
A= | Probl u— H, : A(u) =1] — Prob[ wu Up): A(u) = 1] | > 1/q(n), 


where, for any m, by U,;, we denote the uniform distribution over {0,1}. Let Do 
denote the distribution induced by H,, on input a randomly chosen n-bit string 
x. Moreover, for i=1,..., p(n), let D; be the distribution that randomly chooses 


x € {0,1}", and 7o,...,ri-1 € {0,1} and returns ba( fe (z)) 0-++0bn(fi(ax))o 
rj—10++:07g. Note that Dyn) is equal to the uniform distribution Up(n) over p(n) 
bits. Then we can rewrite A as 
EP) | Prob[ wu — D; : A(u) =1] — Prob[u<— Digi: A(u) =1]], 

and since A > 1/q(n) we obtain that there exists a 7 € {0,...,p(m) — 1} such that 

|Prob[u<— D,;: A(u) =1] — Probl wu Dy41 : A(u) =1]| > 1/(q(n)p(n)). 
Then we can construct an algorithm A’ that uses A to violate the pseudo-random- 
ness of the collection of generators G from Claim 1. 
Input for Algorithm A’: u € {0,1}"*1, where u = x0 b, for x € {0,1}" and 
b € {0, 1}. 
Instructions for Algorithm A’: 

1. randomly choose h € {1,...,p(m)} 

2. randomly choose co,...,Cn—1 € {0,1} 

3. let y = bn( Pin)—1 ay) o++-0bn(fh*(x)) obo cp_10--069 

4. if A(y) =1 then output 1 else output 0. 


Assume h = j (this happens with probability 1/p(n)). We see that the value y in 
step 3 is distributed according to Dj, if u is distributed according to Un+1 or 
according to D; if u is distributed according to G,. We obtain that 
| Prob[ « — Un; u<— G,(a) : A’(u) = 1] — Prob[ u— Unii: A’(u) = 1] | 
> (1/p(n))-|Prob[ u<— D; : A(u) =1] — Prob[ u— Dj41: A(u) =1]| 
> 1/(a(n) - p*(n)), 


from which we derive our desired contradiction. 











An implication of Claim 1 is that any candidate for a a one-way permutation gives 
rise to a pseudo-random generators via the construction described in the proof of 
the claim. We note that the construction of a pseudo-random generator starting 
from a generic one-way permutation uses a probabilistic hard core bit. It is of 
interest to notice that pseudo-random generators can be constructed also using 
deterministic hard-core bits. Two of the most important examples are based on 
squaring modulo composites and discrete logarithms. Specifically, the previously 
considered squaring function, when defined over (Z*)?, is a one-way permutation, 
and its hard-core bit is the least significant bit. Moreover, the previously defined 
exponentiation (modulo primes) function can be used as a one-way permutation 
and its hard-core bit is its most significant bit. 
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A pseudo-random generator is itself a one-way function, having different- 
size domain and range, and can be used to define a one-way function with equal 
domain and range, by using simple domain padding. An intuition to prove this 
goes as follows. Assume the function thus constructed is not one-way; then there 
exists an efficient algorithm that inverts the one-way function with non-negligible 
probability and for infinitely many input sizes. This algorithm can itself used to 
distinguish a pseudo-random output from a random string of the same length, as 
with sufficiently high probability a random string does not belong to the range of 
the pseudo-random generator and therefore the inverter would not find a preimage 
for it. 


3.3. A Cryptographic Application 


An important application of pseudo-random generators is in reducing the amount 
of random bits required in cryptographic protocols secure against polynomial-time 
adversaries. 

A well-known private-key encryption scheme is the “One-Time Pad”, origi- 
nally invented in [51] in 1918. Assuming Alice and Bob agree on a random key 
K (a random “pad”); then they can communicate securely (that is, without the 
eavesdropper Eve obtaining any information about their message) as follows: On 
input message m, Alice computes the ciphertext c = m @ [K] where [K] denotes 
a substring of K of appropriate length and sends it to Bob. Given c, Bob can 
recover message m, by decrypting c as m = c@ [Kj]. Here, @ is the “exclusive 
OR” operator, and Kk is at least as large as m. The following two facts make the 
one-time pad encryption scheme quite remarkable. First, as shown by Shannon, in 
[49], it holds that encryption scheme such that the ciphertext does not reveal any 
information about the plaintext (that is, any provably-secure, in the information- 
theoretic sense, encryption scheme) must satisfy |K| > |m|. Therefore, one-time 
pad is optimally secure in an information theoretic sense. Second, the encryption 
and decryption operations are essentially optimal in terms of time-complexity (be- 
ing a mere exclusive-or operation). Unfortunately, the length of the key is inappro- 
priate for any practical cryptographic application. Still, one-time pads are widely 
utilized as atomic components of more elaborate encryption systems by employing 
pseudo-random generators to generate arbitrarily long sequences of pseudo-random 
bits (given only a short shared random seed). In this case the resulting pseudo- 
random sequence is used as a pad. The employment of pseudorandom generators 
allows the transmission of messages longer than the shared key but, naturally, 
loses information-theoretic security (its security now relies on the security of the 
pseudo-random generator). In many practical applications this is an acceptable 
loss since we assume the adversary runs in polynomial time. 


4. Pseudo-Random Functions 


Random functions are functions that, on each input, return an output value that 
is chosen uniformly and independently from any other output. (If called twice on 
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the same imput, however, the function returns the same random output.) Clearly, 
such functions do not have a short description than their input/output table. This 
may be too long for practical applications when the input has to be as long as the 
intended security parameter. 

Pseudo-random functions aim to achieve essentially the same effect as random 
functions, with respect to polynomial time observers, and, yet, at the same time, 
admit an efficient description. Specifically, pseudo-random functions, are functions 
that take use a fixed and short random string, the seed, and a variable string, the 
input, to produce an output string that ‘looks’ random to a polynomial time ob- 
server. Furthermore, the function cannot be distinguished from a random function 
even if an efficient adversary is able to adaptively repeat the process of choosing 
an input to the function and obtain the corresponding function’s output, for a 
polynomial number of times. The important requirement for this to be possible is 
that the seed is randomly chosen and is kept secret from the adversary. 

Pseudo-random functions can replace random functions in any cryptographic 
application where the adversary runs in polynomial time and the function is used 
in a black-box fashion. When constrasted with pseudo-random generators, we see 
that pseudo-random functions are even more powerful as they allow efficient direct 
access to a very long pseudo-random sequence, which cannot even feasibly scanned 
bit-by-bit. Instead, the output returned by pseudo-random generators is always 
polynomially longer than the amount of randomness used in the input. 


4.1. Definitions 


We now proceed with formal definition for pseudo-random functions and permu- 
tations. We start by defining oracles and oracle adversaries. 


Definition 12. An oracle O = {O, : n € N} is a collection of functions On : 
{0,1}" — {0,1}. An efficient algorithm A is an oracle adversary if it is given ac- 
cess to oracle O and, on input 1", can repeat the following process for a polynomial 
number of times: 

1. on input 1” and 21, 41,...,2i, yi € {0,1}", compute xi441 

2. set Yi41 = On(Xi41) 
An oracle adversary A who is given access to oracle O is also denoted as A°. 


The formal definition of pseudo-random functions is then given as functions that 
are computationally indistinguishable from random functions from any efficient 
oracle adversary. 


Definition 13. For any n € N, let R, be the set of all functions rp, : {0,1}" > 
{0,1}", and let f, be a function f, : {0,1}" x {0,1}" — {0,1}". Consider the 
following probabilistic experiment INIT: 

1. Uniformly choose rn — Rn for eachn € N 

2. Set RAND ={rn:nEN} 

3. Uniformly choose s € {0,1}" for eachn€ N 

4. Set fs = fn(s,-) 
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5. Set REAL ={f,:nEN} 
We say that REAL is a collection of pseudo-random functions if for any efficient 
oracle adversary A and any polynomial p, there exists c such that for all n > c it 
holds that 


| Prob [ INIT;O — f,: A°(1") =1] — Prob [ INIT;O — rp: A°(1”) =1] | 
is < 1/p(n). 


The formal definition of pseudo-random permutations is a direct adaptation of the 
previous definition for functions. 


Definition 14. For anyn€ WN, let P, be the set of all permutations py : {0,1}" > 
{0,1}”", and let f, be a function f, : {0,1}" x {0,1}" — {0,1}” such that for 
each s € {0,1}", the function fr(s,-) is a permutation. Consider the following 
probabilistic experiment INIT: 

1. Uniformly choose pn — Py, for eachn € N 

2. Set RAND = {pn :n€EN} 

3. Uniformly choose s € {0,1}" for eachne€ N 

4. Set fs = fn(s,-) 

5. Set REAL={f,:nEN} 
We say that REAL is a collection of pseudo-random permutations if for any ef- 
ficient oracle adversary A and any polynomial q, there exists c such that for all 
n > c it holds that 


| Prob [ INIT;O ~— f,: A°(1") =1] — Prob[ INIT;O — p, : A°(1") = 1] | 
is < 1/q(n). 
4.2. Constructions 


We describe two important constructions of pseudo-random functions and permu- 
tations: a construction of a pseudo-random functions from any pseudo-random gen- 
erator [24] and a construction of a pseudo-random permutation from any pseudo- 
random function [42]. We also discuss how to construct a one-way function from 
any pseudo-random function. 

The first result we present is the following 


Theorem 3. [f there exists a collection of pseudo-random generators then there 
exists a collection of pseudo-random functions. 


Proof. Let G = {G, : n € N} be a collection of pseudo-random generators stretch- 
ing n bits to 2n bits. That is, it holds that G,, : {0,1}" > {0,1}?” for all n. We 
denote by G® : {0,1}” — {0,1}” the function such that G°(s) is equal to the first 
n bits of G(s), for all s € {0,1}”. Similarly, we denote by G} : {0,1}" — {0,1}” 
the function such that G(s) is equal to the second n bits of G(s), for all 
s € {0,1}”". Then we define a collection of function F = {f, : |s| € MN}, where 
fs : {0,1}" — {0,1}” is defined as 


fol) = Gr G3" (+ GE(GE(s))-—), 
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for each x = 21 0---02%p, and x; € {0,1}, fori=1,...,n. 

This construction is also called the ‘tree construction’ for pseudo-random 
functions. For each s, consider the following tree T,: each level of the tree is 
associated with an application of G,; on input s, the root computes G,,(s) and 
branches into two subtrees, returning G°(s) as an input for its left child and G(s) 
as an input for its right child; the tree construction then continues recursively for 
the remaining bits x2,...,2%, and the leaves of T, contain all possible 2” outputs 
of fs. 

We now show that F is a collection of pseudo-random functions. The proof 
contains an interesting application of the hybrid proof technique. Assume by con- 
tradiction that F' is not pseudo-random. Then this assumption can be written as 
saying that there exists a polynomial q and an efficient oracle adversary A such 
that for infinitely many n’s, it holds that A = |p,e4] — Prandl = 1/a(n), where 


Preal = Prob [INIT;O <— f,: A°(1") =1] 
Prand = Prob[INIT;O — rp: A(1") =1] 


Also, let p be the polynomial such that A makes at most p(n) queries to O in the 
above probabilities. 

In the sequel to avoid overburden notation we fix n € N and a randomly 
chosen s € {0,1}”. For i =0,...,n, we define hybrid functions gi that differ from 
f; only in that they apply 7 times an independently chosen random function and 
n—1t times generator G,,. Formally, for i = 0,...,n, let D; denote the distribution 
induced by the following probabilistic experiment INIT’: 

1. Uniformly choose oe <— R,, for 7 =1,...,n and 6; € {0,1} 

2. Uniformly choose s € {0,1}” 

3. For each x € {0,1}” and each i=0,...,n, 

define g(x) = Gin (--- Gn (r7*(--- (r7*(8)) +--+) 
Note that p,q] is equal to Prob | INIT’;O — g?: A°(1") = 1], and that we can 
rewrite A as at most | Ppang — Prob | INIT’;O — g?: A°(1") = 1] |+ U9 Ai, 
where A, is the difference 
| Prob [INIT’;O — gi : A°(1") = 1] — Prob [INIT’;O ~ git? : AO(1”) = 1] |. 
We now prove the following 


Claim 3. Jt holds that 
| Prand — Prob [ INIT’;O — g? : A°(1") =1] | < 2np(n)?/2”. 


Proof. Note that the function O defined in probability p,q is a random function. 
Therefore the claim follows from two main observations. Denote by GOOD the 
event that none of A’s queries to g” results in any of the functions r;* being 
evaluated on two equal inputs. The first observation is that if event GOOD happens 
then the tuple containing A’s queries and replies to such queries by g? is equally 
distributed to the same tuple when the queries are replied by the random function 
of experiment p,,,q- The second observation is that the probability that GOOD 
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does not happen is at most 2np(n)?/2” as there are at most p(n) queries made by 
A and each query results in the evaluation of 2n random functions rj". 














Given Claim 3, observing that 2np(n)?/2” < 1/2q(n) and since by our contradition 
assumption A > 1/q(n), we obtain that there exists a 7 € {0,...,2—1} such that 
A; > 1/2nq(n). Then we can construct an adversary B that uses oracle adversary 
A to violate the pseudo-randomness of the collection of n-bit to 2n-bit generators 
G. 


Input for Algorithm B: t: {0,1}" — {0,1}?" 
Instructions for Algorithm B: 


1. run INIT’ 

2. randomly choose h € {1,...,n} 

3. define g(x) = Gin(--- Gn"? (trata (+ (rit(s)) +) ++) 
4. set O = g", let d= A°(1”) and output: d. 


We remark that the functions rj‘ defined in the above description are implemented 
as follows: on a new input z, they return an n-bit independently and uniformly 
chosen string u; on an old input, they return the previously returned output. 
Note that A can only make polynomially many queries, therefore B only needs to 
remember a polynomial number of previous outputs. 


Assume h = j (this happens with probability 1/n). We see that in step 3 the 
function O is equal to g” if t is a random function or to g’~} if t is equal to 
Gy. Then B can contradict the pseudo-randomness of G with respect to multiple 
samples, and therefore the pseudo-randomness of G. 














The second result we present is the following 


Theorem 4. [f there exists a collection of pseudo-random functions then there exists 
a collection of pseudo-random permutations. 


Proof. Let F = {fs :n € N} be a collection of pseudo-random functions, where 
fs : {0,1}" — {0,1}”. 

The Feistel transform FT is defined as follows: On input (Lo o Ro), where |Lo| = 
|Ro| = n, FT returns (L;0 R,), where Ly = Ro, and Ri = Lo @ f,(Ro). Note that 
this transform is a permutation: given key s and the output (LZ; o Rj), one can 
compute the input (Lo o Ro), where Ro = Li and Lo = Ri & f,(Ro). However, it 
is clearly not pseudo-random: a distinguisher can simply check that Ro = Lj, a 
condition that always holds for FT but only holds with very small probability for 
a random permutation over 2n-bit inputs. Similarly, one can see that the iteration 
of 2 applications of FT, even using independently chosen atomic pseudo-random 
functions, is a permutation but is not pseudo-random. It turns out that the 3- 
round iteration of FT, when using independently chosen atomic pseudo-random 
functions f<1, fs2, fs3, is both a permutation and is pseudo-random. We call this 
construction 3FT. 
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This proof again uses the hybrid proof technique and therefore we only sketch 
the main ideas of it. Recall that we need to show that an efficient adversary 
can distinguish only with negligible probability a 3-round iteration of FT, when 
using independently chosen pseudo-random functions f51, fs2, fs3, from a random 
permutation. 

For 7 = 0,1,2,3, the intermediate construct D; in the hybrid argument is 
defined as the construction 3FT, where the pseudo-random functions in the first 
i rounds are replaced by a random functions. Then the assumption that 3FT is 
not pseudo-random can be rephrased by saying that an efficient adversary can 
distinguish if its oracle is Dp or a random permutation with probability non- 
negligible. Then note that D3 and a random permutation can be distinguished 
with probability at most 3q(n)?/2” if q(n) is the upper bound on the number of 
queries made by the adversary. Then, by an application of the triangle inequality 
we see that A can distinguish D; from Dj41, for some i € {0,1,2} with non- 
negligible probability. Now, note that the difference between D; and D;+1 is in the 
function in the 7-th round that is pseudo-random in the former space and random 
in the latter. Furthermore, the remaining rounds can be efficiently simulated by 
an algorithm A’ that, using A, can distinguish if the oracle she is interacting with 
is a pseudo-random or random function with non-negligible probability. 














Since [31] proves that a pseudo-random generator can be constructed from any 
one-way function, we immediately obtain the following corollaries. 


Corollary 1. If there exists a collection of one-way functions then there exists a 
collection of pseudo-random functions. 


Corollary 2. If there exists a collection of one-way functions then there exists a 
collection of pseudo-random permutations. 


A pseudo-random function F’ = {f,(s,-) : n € N} can be used to define a one-way 
function H = {h, : n € N}, where hy(x) = fn(x,0) for any x € {0,1}” and any 
n € N. H is one-way as otherwise any inverter can be used to compute the key of 
the pseudo-random function and therefore violate the pseudorandomness of F’. 


4.3. Examples and Applications 


Efficient constructions of pseudo-random functions can be obtained by combining 
efficient constructions for pseudo-random generators with Theorem 3. 

We note that for greater generality we have defined the original ‘asymp- 
totic’ variant of the notions of pseudo-random functions and permutations. We 
remark that recently a ‘finite’ versions of these notions, only considering the case 
of functions and permutations (rather than collection of them), has received a 
lot of attention from the literature. (We note that such definitions can be simply 
derived by the asymptotic by only using functions or permutations f,,r, for a 
fixed n, and parameterizing the distinguishing probability difference.) This has 
allowed the study of popular finite functions (such as the cryptographic hash func- 
tion SHA, and the block ciphers DES and AES) in an idealized model where such 
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functions can be assumed to behave as finite pseudo-random functions and used 
as primitive for more involved constructions. Based on these assumptions, several 
studies have been made on various aspects of these functions, such as computing 
upper and lower bounds on the adversary’s success probability in distinguishing 
the constructions from really random oracles. 

We briefly review other practical applications of pseudo-random functions, 

such as dynamic hashing, private-key encryption, message authentication schemes 
and identification schemes. 
Dynamic hashing. As a hashing function h : {0,1}" — {0,1}™, for m <n, one 
can use a pseudo-random function f,; and set h(x) equal to the first m bits of fs. 
This makes the hash function more secure in the sense that even if the adversary 
obtains hashed values h(x;) of several strings x; of length n, the adversary still 
cannot guess h(y) for a new string y. 


Private-key encryption. A secure private-key encryption scheme can be construc- 
ted from any pseudo-random function. Assume Alice and Bob share a key k. 
Then, in order to send a message m to Bob, Alice randomly chooses r and sends 
(r, fs(r) ® m) to Bob. Note that Bob, given s and pair (r, z) received by Alice, 
can compute m = z@ f,(r). However, an efficient adversary observing the conver- 
sation between Alice and Bob, even after seeing polynomially many (rj, z;), does 
not obtain any meaningful information about the messages m,; since she only sees 
random values r; and pseudo-random values z; (that still ‘look random’ to her). 
Message Authentication Schemes. A secure message authentication scheme can be 
constructed from any pseudo-random function. Assume Alice and Bob share a key 
k. Then, in order to send a message m to Bob, Alice randomly computes f,(m) 
and sends (m, f;(m)) to Bob. Note that Bob, given s and pair (m, z) received by 
Alice, can verify that z = f,(m) and therefore believe that the received message m 
is the same Alice intended to send him. However, an efficient adversary observing 
the conversation between Alice and Bob, upon seeing (m,z), cannot modify m 
into a different m’ without being detected by Bob, as she cannot produce value 
fs(m’) (or otherwise she would distinguish z = f,(m) from a random value). 
Client-Server Identification Schemes. A secure client-server identification scheme 
can be constructed from any pseudo-random function. Assume a client and a server 
offering some service share a key k. Then, in order to offer a service to her client, 
the server sends a random message m to the client and gives the service only of 
she receives in return f,(m). Note that as for the above message authentication, 
an adversary, not knowing s, cannot obtain a service from the server as she can 
produce f;(m’) for some random value m’ only with very small probability. 


5. Zero-Knowledge Protocols 


The seemingly paradoxical notion of Zero-Knowledge Proof Systems, introduced 
in [30], has received a great amount of attention in both the cryptography and 
computational complexity literature. Very informally, a zero-knowledge proof is 


110 Giovanni Di Crescenzo 


a method allowing a prover to convince a verifier of a statement without reveal- 
ing any additional information other than the fact that the theorem is true. In 
other words, all the verifier gains by interacting with the prover on input a true 
statement is something that the verifier could have generated by herself. While 
the two requirements of ‘convincing a verifier’ and ‘yet not revealing anything 
else’ may seem hard to coexist, zero-knowledge proofs have found rigorous formu- 
lations and efficient instantiations in various settings. Furthermore, the general 
zero-knowledge methodology of revealing only the necessary minimal information 
in communication in the presence of adversaries has become a fundamental tool 
having wide applicability throughout cryptography. 


5.1. Basic Definitions 


We start with some basic notions and definitions, including the definition of inter- 
active protocols of [30]. 

A language L is a subset of {0,1}*. If L is a language, by yz, : {0,1}* > 
{0,1} we denote the indicator function for the language L (i.e., xx (x) = 1 if and 
only if « € L). By GI and GNI we denote the languages of graph isomorphism 
and its complement, respectively. NP is the class of languages decidable in non- 
deterministic polynomial-time or verifiable in polynomial time. The ‘NP proof 
system’ for a language LD consists of two steps: the prover, on input x, sends a 
witness w of length polynomial in n to the verifier; the verifier, on input x, w can 
run a polynomial time predicate to check that w is a witness of the fact that x € L. 
This proof system is non-interactive, in the sense that a single message is sent from 
the prover to the verifier. Moreover, the verifier runs in deterministic polynomial 
time. A binary relation R(-,-) is a boolean predicate over two sets that we will 
call respectively the domain dom R and the codomain codom R of relation R. Any 
language in NP can be associated with a polynomial-time relation Rz such that 
Rz(a,w) = 1 if and only if w is a witness of the fact that x € L. Similarly, one 
can define a language Lp associated with a polynomial time relation R. 


Interactive Protocols. A probabilistic Turing machine is a Turing machine with an 
additional read-only tape, called the random tape whose content is a sequence of 
uniformly and independently distributed bits that can be used to perform prob- 
abilistic computation. An interactive Turing machine is a probabilistic Turing 
machine with two additional read/write tapes: a input tape and a communication 
tape. An interactive protocol is a pair of interactive Turing machine sharing the 
input and communication tapes. If A and B are two interactive probabilistic Tur- 
ing machines, by pair (A,B) we denote an interactive protocol. Let x be an input 
common to A and B. The transcript of an execution of protocol (A,B) on input 2, 
denoted by tr(ay),B(R))(*), where R is the content of B’s random tape, and y is 
A’s private input (if any), is the sequence of messages that are written by A or B 
on B’s communication tape during such execution. 

By Ao we denote algorithm A, when given oracle access to machine O. By 
OUT R(tr(a(y),B(R))(%)) € {ACCEPT, REJECT} we denote B’s output at the end 
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of the execution of protocol (A,B) on common input x and where R is B’s ran- 
dom tape. We will say that B accepts (rejects) x, if OUTB(tr(ayy) pry) (@)) = 
ACCEPT (OUT B(tr(acy) Bry) (@)) = REJECT). Also, we will say that transcript 
tr(acy),B(R))(@) is accepting (rejecting) if B accepts (rejects) x. 

We define A(y)-View g(x), B’s view of the interaction with A on input 2, as the 
probability space that assigns to pairs (R; tr(a(y),B(R))(x)) the probability that R 
is the content of B’s random tape and that tra y),p(R))(%) is the transcript of an 
execution of protocol (A,B) on input x given that R is B’s random tape and y is 
A’s private input (if any). 

Let G be a probabilistic Turing machine which is given read-only access to the 
communication tapes between machines A and B. We define (A,B)-Viewc(2), G’s 
view of the interaction between A and B on input 2, as the probability space that 
assigns to a string tr(a,py.))(v) the probability that tr(,p(.))(7) is the transcript 
of some execution of protocol (A,B) on input z. 


5.2. Zero-Knowledge Proof Systems of Membership 


We start by recalling the formal definition for zero-knowledge proof systems of 
membership, introduced in [30]. A zero-knowledge proof system of membership 
is an interactive protocol in which a prover convinces a polynomial time verifier 
that a string x belongs to a language L. Informally, the requirements for zero- 
knowledge proof systems of membership are three: completeness, soundness and 
zero-knowledge. The requirements for interactive proofs of membership are two: 
completeness and soundness. The completeness requirement states that for any 
input x in language LD, the verifier accepts with overwhelming probability. The 
soundness requirement states that for any input x not in the language LD, the 
verifier rejects with overwhelming probability. The zero-knowledge requirement can 
come in three main variants: computational, statistical and perfect zero-knowledge. 
We will deal with computational and perfect only. The perfect zero-knowledge 
(resp., computational zero-knowledge) requirement states that for all probabilistic 
polynomial time verifiers V’, the view of V’ on input x € LZ cannot be distinguished 
by any algorithm (resp., by any polynomial-time algorithm), from the output of 
an efficient algorithm, called the ‘simulator’, on input the same z. 


Definition 15. Let L be a language, and let (P,V) be an interactive protocol, where 
V runs in polynomial time. We say that a pair (P,V) is an interactive proof system 
of membership for L if 


1. Completeness. For all x € L, Prob(OUTy(trip,y)()) = ACCEPT) = 1. 
2. Soundness. For all x ¢ L, for any Turing machine P’, 


We will call the bound 1/2 in the soundness requirement on the probability that 
V accepts the error probability of the proof system. We remark that by using 
standard techniques as “sequential composition”, such probability can be suitably 
decreased to, say, 2~", for any k > 0 and polynomial in the input size n. 
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Definition 16. Let L be a language, and let (P,V) be an interactive proof system 
of membership for L. We say that (P,V) is computational zero-knowledge if for 
each probabilistic polynomial time algorithm V’, there exists a polynomial time 
algorithm S, called the simulator, such that for all x € L the distributions Sy: (x) 
and Viewy/(x) are computationally indistinguishable. 


Definition 17. Let L be a language, and let (P,V) be an interactive proof system 
of membership for L. We say that (P,V) is perfect zero-knowledge if for each 
probabilistic polynomial time algorithm V’, there exists a polynomial time algorithm 
S, called the simulator, such that for all « € L the following holds: 
1. Sy-(x%) =L with probability at most 1/2; 
2. Conditioned on Sy:(x) AL, the two probability distributions Sy: (x) and 
Viewy:(x) are equal. 


All random self-reducible languages (including graph isomorphism, quadratic resid- 
uosity modulo composites and discrete logarithm problems) and their complements 
have been shown in [30, 28, 50] to have a perfect zero-knowledge proof system of 
membership. This results have been generalized in [14] to all monotone formulae 
over random self-reducible languages, and all monotone formulae over complements 
of random self-reducible languages. 


A computational zero-knowledge proof of membership for 3COL. Perhaps the 
most important result in zero-knowledge protocols is the construction, using com- 
mitment schemes, of a zero-knowledge proof system for all languages in NP, due 
to [28]. An implementation of their protocol using subsequent results gives rise to 
the following 


Theorem 5. If non-uniform one-way functions exist then there exists a computa- 
tional zero-knowledge proof system for all languages in NP. 


In order to prove this theorem, we first define commitment schemes. 

Informally speaking, a bit-commitment scheme (A,B) is a two-phase interac- 
tive protocol between two probabilistic polynomial time parties A and B, called 
the sender and the receiver, respectively, such that the following is true. In the 
first phase (the commitment phase), A commits to bit b by computing a pair of 
keys (com, dec) and sending com (the commitment key) to B. Given just o and 
the commitment key, the polynomial-time receiver B cannot guess the bit with 
probability significantly better than 1/2 (this is the secrecy requirement). In the 
second phase (the decommitment phase) A reveals the bit b and the key dec (the 
decommitment key) to B. Now B checks whether the decommitment key is valid; if 
not, B outputs a special string L, meaning that he rejects the decommitment from 
A; otherwise, B can efficiently compute the bit b revealed by A and is convinced 
that b was indeed chosen by A in the first phase (this is the binding requirement). 

We remark that string commitment schemes can be obtained by indepen- 
dently committing to each bit of the binary string. We also remark that the com- 
mitment schemes considered in the literature can be divided in two main types, 
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according to whether the secrecy property holds with respect to computationally 
bounded adversaries or to unbounded adversaries. A computationally-secret. bit- 
commitment scheme has been constructed under the minimal assumption of the ex- 
istence of pseudo-random generators (see [43]). A perfectly-secret bit-commitment 
scheme has been constructed under the assumption of the existence of one-way 
permutations (see [44]). 

As pseudo-random generators have been constructed from any non-uniform 
one-way functions [31], Theorem 5 is proved if we construct a computational zero- 
knowledge proof system of membership for an NP-complete language using any 
commitment scheme. The NP-complete language used in [28] is 3COL, the lan- 
guage of 3-colorable graphs (that is, there exists a function labeling each node of G 
with one out of three colors such that any two adjacent nodes have been labelled 
with different colors). 

We now informally describe the proof system (P,V) for 3COL. The common 
input to prover P and verifier V is a graph G and P would like to convince V 
that G € 3COL. We can divide (P,V) into three messages. First, P computes 
commitments to the randomly permuted colors of nodes of graph G, and sends 
its commitments to V. Second, V randomly chooses a ” challenge” edge (u,v) and 
sends it to V. Third, P computes its ” answer” message opening the commitments 
for nodes u,v and showing that the committed colors were different. If this was 
the case V accepts otherwise V rejects. 

A formal description of (P,V) is in Figure 1. We have the following 


The Protocol (P,V) 
Input to P and V: n-node, m-edge graph G 
Input to P: a 3-coloring function ¢: {1,...,n} — {1,2,3} for G 
P1: Uniformly choose a permutation ~ over {1,2,3} and compute 
function p: {1,...,n} > {1,2,3} as p=yWoo 
Compute pairs of commitments/decommitments (com,,dec;) of 
p(t), fori =1,...,n 
P—V: com,,...,Ccomn. 
V1: Uniformly choose edge (u,v), for u,v € {1,...,n} 
PV: u,v. 
P2: Let dec,,decy be decommitments of comy, comy as p(w), p(v), re- 
spectively 
PV: (p(u), decy), (p(v), decy). 
V2: verify that com,,com, have been correctly opened as p(u), p(v) 
if p(w) # p(v) then return: ACCEPT else return: REJECT. 


Fig. 1: A computational zero-knowledge proof system of membership for 3COL 
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Theorem 6. The protocol (P,V) is a computational zero-knowledge proof of mem- 
bership for 3COL. 


Proof. Clearly, V’s program can be performed in polynomial time. Now we give a 
sketch of proof for the requirements of completeness, soundness and computational 
zero-knowledge. 


Completeness. Assume G € 3COL. If P and V behave honestly, then P’s verifi- 
cations in his last step are satisfied with probability 1. This is because P has a 
3-coloring ¢ of G and, for any permutation 7 over {1, 2,3} chosen by P, and any 
adjacent nodes u,v chosen by V, it holds that p(w) = wo ¢(u) 4 Wo P(v) = p(v). 


Soundness. Assume G ¢ 3COL and that V behave honestly. Then there is at least 
one pair of adjacent nodes wu’, v’ in G such that p(u’) = p(v’), and comy, comy are 
commitments to p(u’), p(v’), respectively. Consider the event u = u’ and v = v’. 
If P reveals decy,decy then V rejects. On the other hand, by the properties of 
commitment schemes, a potentially dishonest P can reveal values different from 
decy,decy only with negligible probability. Therefore, the probability that V ac- 
cepts is at most the probability that u 4 u’ and v 4 v’ plus the probability that 
P reveals in step P3 different values than the one committed at in step Pl. This 
probability is at most 1 — 1/n? + 6(n), for some negligible function 5 and can be 
made exponentially small by performing n° independent sequential repetitions of 
this atomic protocol. 


Computational zero-knowledge. An informal sketch on how to construct an ex- 
pected polynomial time simulator S follows. Recall that S interacts with a verifier 
V’ which may deviate arbitrarily from V’s program. S chooses two different colors 
for some random edge of G and the same color for all other nodes, and sends 
commitments to all such colors to V’, hoping that this particular edge is picked 
by V’, If this does not happen, however, S can “rewind” the program of V’ until 
this event happens, in which case S returns the transcript so obtained. 

We note that S needs to try only at most n? rewinding attempts on aver- 
age. Moreover, the output of Sy is computationally indistinguishable from that 
of a real exection of (P,V’), as the only difference is in the content of the com- 
mitted values in the first message sent by P. However this difference cannot be 
observed by a polynomial time distinguisher and therefore the two distributions 
are computationally indistinguishable. 














The presented zero-knowledge proof system for an NP-complete language has 
found numerous applications in various areas of cryptography. It has also played 
an important role in enlarging as much as possible the class of languages having 
zero-knowledge proof systems of membership, as in the following result, due to 
[35, 9]. 


Theorem 7. [f non-uniform one-way functions exist then there exists a compu- 
tational zero-knowledge proof system of membership for all languages having an 
interactive proof system of membership. 
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We note that the class IP of languages having an interactive proof system of 
membership has been proved equal to PSPACE in an important result in [47]. It 
follows then that any language in PSPACE has a zero-knowledge proof system 
of membership. One may wonder if all languages in PSPACE or NP have a per- 
fect zero-knowledge proof system of membership. It turns out that, as proved in 
(8, 22, 2], it is very unlikely that all languages in NP have such a proof system (as 
otherwise the polynomial hierarchy would collapse to its second level). An impor- 
tant consequence of these results is that a way to give evidence that a language is 
not NP-complete is to construct a perfect zero-knowledge proof system for it. 


A perfect zero-knowledge proof of membership for GI. Recall that the language GI 
is in NP and therefore has a simple proof system of membership: the prover sends 
an isomorphism between the two input graphs, and the verifier just checks that 
he indeed received a valid isomorphism. We now present a perfect zero-knowledge 
proof system for this language from [28], in which the prover does not reveal any 
information at all about the input graphs, other than the fact that they are iso- 
morphic. Contrarily to the previous computational zero-knowledge proof systems, 
this result is unconditional in the sense that it does not depend on unproven as- 
sumptions, such as the existence of commitment schemes. 

We start by informally describing the proof system (P,V) for GI. The common 
input to prover P and verifier V is a pair of graphs (Go, G1) and P would like to 
convince V that the two graphs are isomorphic, that is, Go + G,. We can divide 
(P,V) into three messages. First, P randomly chooses a graph H isomorphic to 
Go, and sends its ”commitment” message H to V. Second, V randomly chooses a 
*challenge” bit b and sends it to V. Third, P computes its ”answer” message 7 as 
an isomorphism between H and G, and sends it to V, who accepts if and only if 
m@ is an isomorphism between H and G4. 

A formal description of (P,V) is in Figure 2. We have the following 


The Protocol (P,V) 
Input to P and V: (Go, Gi), where Go, G; are n-node graphs. 
Input to P: ¢, such that G; = ¢(Go) 
P1: Uniformly choose a permutation 7 and compute H = 7(Go) 
PV: 4. 
V1: Uniformly choose bit 0} 


Pev: 0b. 
P2: If b=0 then set 7) = 7 otherwise set Wy = 70 ¢7! 
Pov: w. 


V2: if H = w(G) then return: ACCEPT else return: REJECT. 
Fig. 2: A perfect zero-knowledge proof system of membership for GI 
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Theorem 8. The protocol (P,V) is a perfect zero-knowledge proof of membership 
for GI. 


Proof. Clearly, V’s program can be performed in polynomial time. Now we prove 
the three requirements of completeness, soundness and perfect zero-knowledge. 


Completeness. Assume Go Gj. If P and V behave honestly, then P’s verifications 
in his last step are satisfied with probability 1. To see this, consider first the case 
b = 0. In this case V’s verification in step V2 is met as H = 7(Go) = 1(Gy) = 
w(G»). Now, consider the case b = 1. Also in this case V’s verification in step V2 
is met as H = 1(Go) = 70 ¢-1(G1) = W(G1) = WG). 

Soundness. Assume Go 5G, and that V behave honestly. Let H be the graph sent 
by (a potentially adversary) P in step Pl. By the previous assumption H cannot 
be isomorphic to both Gop and G1, but might be isomorphic to one of them, let 
this graph be G,. Then P can meet V’s verificaton in step V2 only if a = b, which 
happens with probability 1/2. Therefore the probability that V accepts is at most 
1/2. 


Perfect zero-knowledge. We now show a simulator S. Recall that S interacts with 
a verifier V’ which may deviate arbitrarily from V’s program. The basic trick that 
allows S to produce an accepting conversation between P and V even without 
knowing a witness for (Go,G1) € GI is that S can “rewind” the verifier until he 
is as lucky as a dishonest prover. 


The simulator S. On input (Go, Gi) € GI, S will first of all feed V’ with a random 
string of appropriate length. Then S randomly chooses a bit a and a permutation 
7, computes graph H = 7(G,), and sends H to V’. Now, V’ sends its random bit 
b to P. At this point, if a = b then S sets w = m and returns (H, b,7) and halts; 
otherwise, he restarts the entire process again, using independently distributed 
random bits. 


We need to show two properties of S: first, S’s output is distributed exactly as the 
output of the protocol; second, S’s running time is expected polynomial time. 

To see that the first property is satisfied, we start by observing that the 
messages from V’ are clearly equally distributed in both spaces, since they are 
computed in the same way. The first message from the prover is equally distributed 
in both spaces since we are assuming that Go + G ;. The second message of the 
prover is distributed as a random isomorphism between H and G, in both the 
transcript of the protocol and the output of the simulator. 

To see that the second property is satisfied, we observe that the simulator 
only executed polynomial time computation and terminates with probability 1/2 
at each attempt. Therefore he only needs an expected number of 2 attempts and 
its total running time is expected polynomial time. 














5.3. Witness-Indistinguishable Proof Systems of Knowledge 


The concept of proof systems of knowledge has been alluded to in [30], developed by 
(20, 21, 50] and fully formalized in [5]. In this section we recall the definition given 
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in [5], with the additional requirement of witness indistinguishability, introduced 
n [21]. A witness-indistinguishable proof system of knowledge is an interactive 
protocol in which, on input a string x, a prover convinces a poly-bounded veri- 
fier that he knows a string y such that a polynomial-time relation R(x, y) holds; 
moreover, for any 1, y2, no information is revealed to the verifier about whether 
the string y used by the prover is equal to yi or y2. Informally, the requirements 
for witness-indistinguishable proof systems of knowledge are three: non-triviality, 
extraction and witness-indistinguishability. The non-triviality requirement states 
that for any input x in the domain of relation R, the verifier accepts with over- 
whelming probability. The extraction requirement states that there exists an ex- 
tractor that, for any input zx, and interacting with any prover that forces the 
verifier to accept with ‘sufficiently high’ probability, is able to compute a string y 
such that R(x, y) holds, within a ‘properly bounded’ expected time. The witness- 
indistinguishability requirement states that for all input « € domR, and for all 
Yi, y2 such that (x, yi) € R and (a, y2) € R, the verifier’s view when P uses y; is 
identical to the verifier’s view when P uses yo. 


Definition 18. Let P be a probabilistic Turing machine and V a probabilistic poly- 
nomial-time Turing machine that share the same input and can communicate with 
each other. Let R be a two-argument polynomial time relation and err : {0,1}* = 
[0,1] be a function. We say that a pair (P,V) is a WITNESS-INDISTINGUISHABLE 
PROOF SYSTEM OF KNOWLEDGE with knowledge error err for relation R if 


1. Non-Triviality. For all x ¢ domR, Prob(OUTY (trp,y)()) = ACCEPT) = 1. 
2. Extraction. There exists a probabilistic oracle machine E (called the extrac- 
tor) such that for all x € domR, and for any Turing machine P’, and letting 
accp:(%) = Prob(OUTy(trip:,v)(x)) = ACCEPT), the following holds: if 
accp:(x) > err(x) then, 
e Prob(£p(x)) = y) > 2/3, where (x,y) € R. 
e The machine E halts within expected time bounded by GG ey? 
for some constant c > 0. 
3. Witness Indistinguishability. For any x € domR, and any yj, yo such that 
(a,y1) € R and (x,y2) € R, the probability spaces P(y,)-Viewy(ax) and 
P(y2)-Viewy (x) are equal. 


In [21] it was shown that any zero-knowledge proof of knowledge is also witness- 
indistinguishable (the converse being not necessarily true). In fact, the concept of 
witness-indistinguishable proofs is sufficient for many applications. For instance, in 
some zero-knowledge protocols, 3-round witness-indistinguishable proofs of knowl- 
edge are executed as subprotocols, in which the verifier proves the knowledge of 
some string which certifies that he has computed honestly some previous message. 


A Witness-Indistinguishable proof of knowledge for Rer. Define protocol (P,V) as 
the parallel repetition of n independent executions of the protocol for GI presented 
in Section 5.2, where n is the size of the input. It has been proved in [26] that 
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protocol (P,V) is not zero-knowledge (according to a stronger notion, called “black- 
box zero-knowledge” , unless GI is in BPP, which trivializes the question). Now we 
show that the protocol (P,V) is a witness-indistinguishable proof of knowledge for 
Rez. That is, we have the following 


Theorem 9. The protocol (P,V) is a witness-indistinguishable proof of knowledge 
for Retr. 


Proof. Clearly, V’s program can be performed in polynomial time. The non-trivial- 
ity property directly follows from the completeness of the atomic proof of mem- 
bership for GI. Now we sketch the proofs of the extraction and perfect witness- 
indistinguishability of (P,V). 

Extraction. This is showed by presenting an extractor E. Recall that E uses as 
an oracle prover P’ which may deviate arbitrarily from P’s program and makes 
V accept with a certain probability accp:(Go, G1). Intuitively, the trick that E 
uses to obtain an isomorphism between Gop and G; is that of ‘rewinding’ the 
prover in order to ask two different tuples of challenge bits and receive, for at 
least one copy of the atomic protocol, an answer to challenges 0,1, which reveals 
the desired isomorphism. We note that if accp/(Go,G1) > 0 then one can prove 
that Prob(OUT £(tr(pn)(Go, Gi))) = ¢ => 1-27” and that the expected running 
time of F is a polynomial times the expected number of necessary rewindings of 
P’. Since E only needs two accepting conversations from P’, the latter number is 
about 2/accp:(Go, G1). 


Witness-indistinguishability. Let us observe first that any zero-knowledge proof 
is also witness-indistinguishable (intuitively, this is because if an adversary can 
distinguish which witness the prover is using then he can obtain some knowledge 
he did not know before running the protocol). Therefore a single execution of 
the atomic protocol for GI is witness-indistinguishable. To prove that a parallel 
execution of n copies of that protocol is still witness-indistinguishable, we will 
use again the ‘hybrid proof technique’ of [29] and contradict the fact that the 
atomic protocol for GI is witness-indistinguishable. Let ¢ ,¢@2 be two different 
isomorphisms between Go and G;. Assume, for sake of contradiction, that (P,V) 
is not witness-indistinguishable. Then there exists an adversary V’ that is able to 
distinguish with some non-negligible probability a transcript of the protocol when 
P uses witness ¢, from a transcript of the protocol when P uses witness ¢2. Let 
Do (resp., D,,) denote the distribution returning a transcript of an execution of 
protocol (P,V’), when P is using isomorphism ¢, (resp., 62). Then the assumption 
can be written as saying that there exists a polynomial p and a probabilistic 
polynomial time algorithm V’ such that for infinitely many k’s, it holds that 


A =| Prob(OUTy:(Do) = 1) — Prob(OUTy:(Dn) = 1)| > 1/p(k). 


For i = 1,...,n— 1, we define distribution D; as the distribution returning a 
transcript of an execution of protocol (P,V’), where P uses ¢ in the first 7 parallel 
executions of the atomic protocol for GI and ¢; in the remaining n — 7 executions. 
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Then we can rewrite A as 
by | Prob (OUTy(D;) = 1) — Prob( OUTy/(Di+1) = 1)| 
and since A > 1/p(k) we obtain that there exists an i € {0,...,2 —1} such that 
| Prob (OUTy/(D;) = 1) — Prob(OUTy:(Dis1) =1)| > 1/(n- p(k)). 


This can be used to construct an algorithm that violates the witness-indistingui- 
shability of the atomic protocol for GI, from which a contradiction is derived. 














A Perfect Zero-Knowledge Proof for GNI. An important application of witness 
indistinguishable proofs of knowledge is in constructing a perfect zero-knowledge 
proof system for GNI [28]. (Note that GNI is not in NP.) 

We start by informally describing an interactive proof system of membership 
for GNI. This consists of two messages: on input (Go, G1), the verifier randomly 
chooses a bit b and a graph H isomorphic to Gp, and sends H to the prover. The 
prover computes b! such that H ~ Gp and sends b’ to the verifier that accepts if 
and only if b= 0’. 

We note that this proof system is not zero-knowledge as a cheating verifier 
might send a graph H’ for which he does not know if H’ is isomorphic to Go or 
G and use the prover’s answer to determine that. In order to avoid this problem, 
the protocol is patched as follows: the verifier, in addition to sending H, also gives 
a witness-indistinguishable proof of knowledge of an isomorphism between H and 
one of Go, G;. This proof can be obtained as an extension of the previous witness 
indistinguishable protocol (see [28, 14]). 


5.4. Zero-Knowledge Proof Systems of Decision Power 


The idea of proving the knowledge of whether a string belongs to a language or 
not has been given in [20]; a related concept of proving computational power has 
been introduced in [53]; the formal definition of zero-knowledge proof systems of 
decision power has first appeared in [16]. Applications of this type of protocols 
include entity authentication protocols. 

A zero-knowledge proof system of decision power is an interactive protocol 
in which a prover convinces a poly-bounded verifier that he knows whether a 
string x belongs to a language L or not, without revealing which is the case, 
or any other information. Informally, the requirements for zero-knowledge proof 
systems of decision power are three: verifiability, extraction and zero-knowledge. 
Verifiability states that the verifier accepts with high probability for any input z, 
in the language L or not. Extraction states that there exists an extractor that, 
for any input x, and interacting with any prover that forces the verifier to accept 
with ‘sufficiently high’ probability, is able to decide whether x € LD or not, within 
a ‘properly bounded’ expected time. This differs from previous work on proofs of 
knowledge in which the extractor existed only for input in the language and was 
required to output a string satisfying a polynomial relation with the input. This 
approach allows to consider even languages above NP. Finally, the zero-knowledge 
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requirement states that for all probabilistic polynomial time verifiers V’, the view 
of V’ is efficiently simulatable, and the simulation is correct for all x (in L or not). 


Definition 19. Let P be a probabilistic Turing machine and V a probabilistic poly- 
nomial-time Turing machine that share the same input and can communicate with 
each other. Let L be a language and err : {0,1}* — [0,1] be a function. We say 
that a pair (P,V) is a perfect zero-knowledge proof system of decision power with 
knowledge error err for L if 


1. Verifiability. For all x, 
Prob(OUTy(tr(p,vy(2)) = ACCEPT) =k 


2. Extraction. There exists a probabilistic oracle machine E (called the extrac- 
tor) such that for all x, and any Turing machine P’, and letting accp:(x) = 
Prob(OUTy(tr(p,,v)(x)) = ACCEPT), the following holds: if accp:(x) > 
err(x) then, 

e Prob(Ep/(x%)) = xx (2)) > 2/3. 
e The machine E halts within expected time bounded by GaGa): 
for some constant c > 0. 

3. Perfect Zero-Knowledge. For all probabilistic polynomial-time verifiers V’, 
there exists a polynomial time algorithm S, called the simulator, such that 
for all x, the following holds: 

(a) Sy-(a) =L with probability at most 1/2; 
(b) Conditioned on Sy:(x) #1, the two probability spaces Sy:(x) and P- 
Viewy:(x) are equal. 


The languages known to have a perfect zero-knowledge proof of decision power 
are the languages that are known to be random self-reducible, that is, quadratic 
residuosity [20, 16], graph isomorphism and discrete log [16], and a certain class 
extending these languages [18]. 

In principle it might be possible to directly use interactive proof systems of 
membership in order to construct proof systems of decision power. In particular, 
consider the following protocol transformation: Given a proof of membership (A,B) 
for the language OR(L,L) defined as the set of pairs (%1,x2) such that (a, € 
L)V («2 €¢ L) (in [14] such proofs have been given for GI), derive a protocol (P,V) 
as (A,B) executed on input (2,2). One would observe that such transformation 
might be a reasonable approach to construct a proof system of decision power 
for L. Nevertheless, it turns out that this approach in general fails; that is, the 
obtained (P,V) fails to be a proof of decision power (an example for this is fully 
explained in [16]). Therefore we need new techiques to construct these protocols. 


A proof of decision power for GI. We start by informally describing the proof 
system (P,V) from [16]. The common input to prover P and verifier V is a pair of 
graphs (Go, G1). We can divide (P,V) into three basic steps. The first step is done 
by V; he randomly chooses a bit b and a graph G isomorphic to Gy, and sends it to 
P. In the second step, V proves to P that graph G has been correctly constructed, 
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using a witness-indistinguishable proof of knowledge, that is, without revealing 
any information about bit b or the permutation used. In the third step, P checks 
that V’s proof is accepting and then proves to V that he knows an isomorphism 
between graph G and one of the two input graphs Gop, G;. V accepts if and only if 
this proof is convincing. 

The implementation of the first step goes as follows. The second and the 
third step can be implemented in various ways; perhaps, the simpler is to use 
the same protocol for both steps. Specifically, P and V will run twice a witness- 
indistinguishable subprotocol (from [80]), where in the first execution (second step 
of (P,V)) V acts as a prover and P as a verifier, and in the second execution (third 
step of (P,V)) the roles are reversed. By carefully interleaving such executions, we 
obtain only 4 rounds of communication between P and V. Let n be an integer and 
m = nlogn; a formal description of (P,V) is in Figure 3. We obtain the following 


Theorem 10. The protocol (P,V) is a perfect zero-knowledge proof of decision power 
(with decision error 0) for GI. 


Proof. Clearly, V’s program can be performed in polynomial time. Now we prove 
the three requirements of verifiability, extraction and perfect zero-knowledge. 


Verifiability. First of all notice that if P and V behave honestly, then P’s veri- 
fications in his last step are satisfied with probability 1. This implies that with 
probability 1 the graph G sent by V in his first step is isomorphic to at least one 
of Go, G1. Now, observe that regardless of whether Gp ~ G, or not, the prover 
can compute an isomorphism between G and one of Go,G, and then meet V’s 
verification in the third step of the protocol. Specifically, if Go + G, then G is 
isomorphic to both, and, say, the permutation between G and Gop can be used to 
run his program in the third step of the protocol. Instead, if Go # G; then G is 
isomorphic only to Gy, and then the permutation between G and Gy can be com- 
puted by P and used to run his program in the third step of the protocol. Thus, 
in both cases, V accepts with probability 1. 


Extraction. We show an extractor E. Recall that E uses as an oracle prover P’ 
which may deviate arbitrarily from P’s program and makes V accept with a certain 
probability accp:(Go, G1). 

The extractor E. On input (Go,G1), E starts by running m times a procedure, 
called Iso-ext, which we now describe. 


The procedure Iso-ext takes as input a bit 6 and returns either a bit v or a 
special string fail. Precisely, each time the procedure is executed, it takes as input 
a uniformly and independently chosen bit b;. The procedure starts by repeatedly 
running the program of the verifier V interacting with P’ until an accepting con- 
versation is obtained. In this conversation P’ has received a graph G' chosen by the 
procedure as isomorphic to Gi; also, P’ has sent some pairs of graphs (Dio, Di1) 
and answered correctly to V’s questions represented by bits e;. Then the procedure 
Iso-ext rewinds P’ until after his first step. Now, V’s second round is run again 
by sending some uniformly chosen e/, instead of the bits e; sent before (here the 
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The Protocol (P,V) 
Input to P and V: (Go, Gi), where Go, Gi are n-node graphs. 


V1: Uniformly choose bit b and a permutation 7 and set G = 1(G)); 
fori =1,...,m, 
uniformly choose bit a; and two permutations 79, 7:1; 
compute graphs Ajo = jroo.) and Aj = i1(Gi—a;) 
Pave G, (As. An), -++;(Amo, Am1)- 
Pi: Fori=1,...,m, 
uniformly choose bits c;,d; and permutations qj, wi1; 
compute graphs Dig = Wio(Ga;) and Dit = Wii(Gi—a;) 
Po#V: (C1, 2.2;Cm) P10; Dir)iss 25 Dmo;Dmi)- 
V2: Fori=1,...,m, 
uniformly choose a bit e;; 
if c; = 0 then set o; = (mio, 1); 
if c; = 1 then set oj = 770 ee 


P<—V: (e1,...,€m),;(01,---;Om)- 
P2: Fori=1,...,m, 
if c; = 0 then 


let a4 = (io, Ni1); 
check that Ajo = io(Ga;), Ait = Mi1(Gi—a,), for some bit a;; 
if c¢; = 1 then check that G = 0;(Ajo) or G = o;(Gi1); 
if any of the above verifications is not satisfied then halt; 
if Ei = 0 then set = (io, war); 
if e; = 1 then 
if Go G, then 
randomly choose a bit gj; 
compute a permutation 7; such that G = 7;(G,,); 
if Go ea Gy then 
compute bit b and permutation 7 such that G = 1(G)); 
— Oo he 
PV: (n,.. eae Gate 
V3: Fori=1,...,m, 
if e; = 0 then 
let 7 = (vio, Wir); 
check that Dio = wWio(Ga, ), Di = wi(Gi_-a,), for some bit 





di; 
if EQ = 1 then check that G = 7; (Dio) or G= 7;(Di1). 

If all verifications are successful then output: ACCEPT else out- 

put: REJECT. Halt. 


Figure 3: A perfect zero-knowledge proof system of decision power for GI 
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procedure also makes sure that the sequence (e4,...,€,,,) is distinct from all previ- 
ously chosen, including (€1,...,€m)). This step is repeated until another accepting 
conversation is obtained. Now, in the case the procedure never finds a second (or 
even a first) accepting conversation, then it outputs fail. If this does not happen, 
then this implies that P’ has given answers to bit e; and bit e, corresponding to 
the same pair of graphs (Dio, Di1), for i = 1,...,m. Since there exists an i such 
that e; 4 e/, from the answers to such two distinct bits, the procedure can easily 
compute an isomorphism ¢ between G and one of Go, G1. In this case the output 
of procedure Iso-ext will be a bit v such that the isomorphism ¢ obtained by P’ is 
such that G = $(G,). 


Now, if procedure Iso-ext has ever output fail then E runs an exhaustive 
search procedure to find a permutation 7 such that Go = 7(G1), or a proof that 
no such permutation exists; if such a permutation is found, then E outputs 1; if 
not, E outputs 0. 


Instead, consider the case procedure Iso-ext never outputs fail. As mentioned 
above, E runs m times the procedure Iso-ext, each time on input a uniformly chosen 
bit b;. Then, let v; be the bit output by the procedure Iso-ext, when given 6; as 
input, for i = 1,...,m. Then E outputs 0 (meaning that the graphs Go, G, are 
not isomorphic) if b; = v;, fori = 1,...,m, and 1 (meaning that the graphs Go, G1 
are isomorphic) otherwise. 

To prove that the output of F is correct, first of all we observe that if the 
extractor E outputs because of the search procedure then clearly its output is 
correct with probability 1. Now we consider the case in which the extractor E 
outputs after running n times the procedure Iso-ext. First, assume that Go # Gi. 
In this case, in each execution of procedure Iso-ext, E sends a graph G isomorphic 
to Gy, to P’; also, procedure Iso-ext finds an isomorphism between G and exactly 
one of Go, Gi, which can only be G»,. Thus, it holds that v; = b;, for 2 = 1,...,m, 
and thus E’s output is correct with probability 1. Now, assume that Go + Gj. In 
this case, in each execution of procedure Iso-ext, E sends a graph G isomorphic to 
Gy to P’, and proves that he knows an isomorphism between G and one of Go, G1. 
Since this proof is witness-indistinguishable, no information is revealed about bit 
b to any P’, and thus the probability that v; = b; is exactly 1/2. This means that 
the probability that there exists a 7 such that b; # v;, from which it follows that 
E’s output is correct, is at least 1 —-27~”" > 1-27”. 

Now, consider the running time of E. The first reason E can output is because 
of the result of the procedure Iso-ext; in this case the expected running time of 
E is properly bounded, for the following two reasons: 1) at each iteration such 
procedure essentially runs the program of verifier V, which is strict polynomial 
time; 2) the expected number of iterations is at most 2/accp:(Go, G1). It follows 
that E’s expected time is at most poly(n) /accp:(Go, G1). Now consider the other 
case, that is, when E outputs because the result of the search procedure; clearly, 
this procedure may take exponential time. However, this happens when prover P’ 
makes V accept only in correspondence to one of the sequences (e1,...,@m). This 
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implies that in this case the probability accp:(Go, G1) is at most 2~™, and E’s 
expected running time is then poly(n) -n!-27~™ < poly(n). 


Perfect zero-knowledge. We show a simulator S which satisfies Definition 19. Recall 
that S interacts with a verifier V’ (treated as a black box) which may deviate 
arbitrarily from V’s program. 


The simulator S. On input (Go, G1), S will first of all feed V’ with a random string 
of appropriate length. Then S obtains the first message from V’ and runs P’s 
program to simulate the first message by P. Then he obtains the second message 
from V’, which terminates the proof of knowledge from V’. Now, if this proof is 
convincing, then S uses this proof to extract the knowledge communicated by V’ 
through this proof. That is, S runs the extractor for the proof of knowledge by V’ 
and obtains a permutation between G and one of Go,G,. Then S simulates the 
last message by P by running P’s program, and using the obtained permutation 
as auxiliary input. Finally S outputs the conversation thus obtained. 

We now need to show two properties: first, S’s output is distributed exactly as the 
output of the protocol; second, S’s running time is expected polynomial time. 

To see that the first property is satisfied, we start by observing that the 
messages from V’ are clearly equally distributed in both spaces, since they are 
computed in the same way. The first message from the prover is equally distributed 
in both spaces since S runs algorithm P to compute it. The second message of the 
prover is also computed by S using algorithm P; here S uses the permutation 
extracted from the proof of knowledge by V’ as his auxiliary-input. Although this 
auxiliary-input may be different from the one used by P during the protocol, the 
second message by P has the same distribution, no matter which auxiliary-input 
is used by V, since P is running a witness-indistinguishable proof of knowledge. 

To see that the second property is satisfied, we observe that the simulator 
computes the first message from the prover, by running P’s program which is 
polynomial time here. Then S runs the extractor for the proof of knowledge by V’, 
which, by properties of proofs of knowledge (see [5]) we know to run in expected 
polynomial time. Finally, he uses the witness obtained from this extraction to run 
P’s program in polynomial time and simulate the last step of the protocol. 














5.5. Zero-Knowledge Transfers of Decision 


The model for zero-knowledge and result-indistinguishable proofs of decision has 
been introduced in [23]. A zero-knowledge and result indistinguishable protocol in 
which a prover convinces a poly-bounded verifier of whether a string x belongs to a 
language L or not, without revealing which is the case, or any other information to 
any eavesdropper, and without revealing any other additional information to the 
verifier. An immediate application of this type of protocols is interactive encryption 
secure with respect to strong definitions based on languages with such proofs. 
Here we recall the definition given in [23] for result-indistinguishable proofs of 
decision. The definition has three requirements. The completeness requirement 
states that for any input x, with overwhelming probability the verifier accepts 
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and can compute the value yz(a). The correctness requirement states that for 
any input « and any (possibly dishonest) prover, the probability that the verifier 
accepts and receives the wrong value 1 — x(a) is negligible. The zero-knowledge 
requirement states that for all probabilistic polynomial time verifiers V’, the view 
of V’ is efficiently simulatable, by a simulator that queries an oracle returning 
xi(x). Moreover, the simulation is correct for all x (in L or not). The perfect 
result-indistinguishability requirement states that for all input x, the conversation 
between prover and verifier is efficiently simulatable. 


Definition 20. Let P be a probabilistic Turing machine and V a probabilistic poly- 
nomial-time Turing machine that share the same input and can communicate with 
each other. Also, let C a probabilistic Turing machine having access to the com- 
munication between P and V. Let L be a language. We say that a pair (P,V) is a 
perfect zero-knowledge and perfectly result-indistinguishable transfer of decision 
for L if 

1. Completeness. There exists b € {0,1} such that for all x, satisfying yi(x) = 
b, Prob(OUTy(tr(p,v)(x)) = (ACCEPT, yz(x))) = 1. 

2. Correctness. For all x, and for all P’, 

Prob(OUTy(tr(pv)(#)) = (ACCEPT, 1 — xz(x))) < 1/2. 

3. Perfect Zero-Knowledge. For any Turing machine V’, there exists a proba- 
bilistic Turing machine Sy: (called the V-simulator) running in polynomial- 
time such that Sy:, given as input both « and x1(x), returns L with prob- 
ability at most 1/2, and, conditioned on Sy:(x,xx1(x)) ZL, the probability 
spaces P-Viewy:(x) and Sy'(a,x1(x)) are equal. 

4. Perfect Result-Indistinguishability. There exists a probabilistic Turing ma- 
chine M (called the C-simulator) running in probabilistic polynomial-time 
such that for all x, the probability spaces (P,V)-Viewc(x) and M(x) are equal. 


The only languages known to have a perfect zero-knowledge transfer of decision 
power are the specific languages that are known to be random self-reducible, that 
is, quadratic residuosity [23, 16], graph isomorphism and discrete log [16], and a 
certain class extending these languages [18]. 


A transfer of decision for GI. We start by informally describing the proof system 
(P,V) from [17]. The common input to prover P and verifier V is a pair of graphs 
(Go, G1). We can view (P,V) as made of a sequential composition of 3n iterations 
of an atomic protocol (A,B), which in turn can be divided into three phases. In 
the first phase B randomly chooses a bit b and a graph G isomorphic to Gy, and 
sends it to A. In the second phase, B proves to A that graph G has been correctly 
constructed, without revealing any information about bit b and the permutation 
chosen. In the third phase, A checks that B’s proof is accepting; now, if Go = G1 
then A randomly chooses a bit g; otherwise, if Go 5G then A computes bit b 
such that GG» and sets g = b. In both cases A proves in zero-knowledge to B 
that G2G,, and if this proof is not convincing then B rejects. At the end of the 
3n iterations of protocol (A,B), V accepts if B has never rejected. Furthermore, 
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if in at least n iterations it holds that b 4 g, V outputs 1 (meaning that he is 
convinced that Go © G1); otherwise V outputs 0 (meaning that he is convinced 
that Go Aa#G 1): 

The implementation of the first phase of protocol (A,B) is simple. We observe 
that the second phase can be implemented by using a ‘witness-indistingui-shable’ 
subprotocol, as done in [80] in their zero-knowledge proof system of membership for 
the language of quadratic non-residuosity. In particular, we will use the protocol 
of [28] used in the middle of a zero-knowledge proof of membership for graph 
non-isomorphism. Then we observe that the subprotocol in the third phase which 
allows P to convince V that GYG,, for some bit g, can be implemented by using 
a three-steps protocol, as done in [30] for the language of quadratic residuosity or 
in [28] for the language of graph isomorphism. 


A formal description of (P,V): Let n be an integer and m = nlogn. The protocol 
(P,V) is made of 3n sequential repetitions of subprotocol (A,B), which is described 
in Figure 4. Now, if any verification by B is not satisfied, V outputs: (REJECT), 
and halts. Otherwise, denote by }b; the bit chosen by V in step V1 of the 7-th 
execution of subprotocol (A,B), and by g; the bit computed by P in step P2 
of the i-th execution of subprotocol (A,B). Then V computes the number s of 
indices i € {1,...,3n} such that b; = g;; if it holds that s > 2n then V outputs: 
(ACCEPT,1); otherwise V outputs: (ACCEPT,0). We obtain the following 


Theorem 11. The protocol (P,V) is a perfectly result-indistinguishable and perfect 
zero-knowledge transfer of decision for GI. 


The rest of the subsection proves Theorem 11. Clearly, V’s program can be per- 
formed in polynomial time. Now we prove the requirements in Definition 20. 


Completeness. We show that for all pairs (Go,G1) of graphs, if P and V follow 
their protocol, then V accepts and outputs ygr(Go, G1) with probability greater 
than 1—n~°, for any constant c. We analyze two cases. First assume Gp ~ G1; now, 
since V follows his protocol, P will be convinced by V’s witness-indistinguishable 
proof that graph H has been correctly computed. Then H is isomorphic to one of 
Go, G1, and the statement [Lo +L, is true, since Lo is isomorphic to H and Ly is 
isomorphic to a randomly chosen graph between Go, G1. Moreover, it holds that 
b; = g; with probability 1/2, and therefore the number s of indices 7 € {1,...,3n} 
such that 6; = g; will be at least 2n with exponentially small probability (using 
Chernoff bounds). This guarantees that V outputs (ACCEPT,1) with probability 
greater than 1—n~°, for any constant c. Now, assume Go > G1; then P can compute 
bit 6 and permutation @ such that H = (3(G,). This implies that the statement 
Lo & Ly, is true, since Lo is isomorphic to H and Ly, is chosen isomorphic to G5. 
We observe that b; = g; for all i = 1,...,3n, and thus V outputs (ACCEPT,0) 
with probability 1. 

Correctness. We show that for any P’ and any input pair (Go,G1), the proba- 
bility that V’s output is (ACCEPT,1 — ye@r(Go, G1)) is negligible. First, consider 


Bi: 


AB: 
Al: 
A— B: 
Ba: 


AB: 
A2: 


A— B: 
B3: 
AB: 
A3: 


A—B: 
BA: 
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The Protocol (A,B) 


Input to A and B: (Go, Gi), where Go, Gi are n-node graphs. 


Uniformly choose bit b and a permutation 3 and compute H = G(G»); 
for 7 =1,...,m, 

uniformly choose bit a; and two permutations ajo, a1; 

compute graphs Ajo = ajo(Ga,;) and Aj1 = a51(Gi-a;); 
(H, (Ato, A11), sey (Amo, Am1)). 


For j = 1,...,m, uniformly choose bit c;; 
(c1,..+;Cm). 
For j = 1,...,m, 


if c; = 0 then set oj; = (ajo, aj1); 
if c; = 1 then set oj = Bo OF 500; ) 


(01,.--,0m). 
For j = 1,...,m, 
if c; = 0 then 
let oj = (njo, 051); 
check that Ajo = njo(Ga;) and Aj1 = nj1(Gi-a;), for some bit aj; 
if c; = 1 then check that H = 0;(Aj0) or H =0;(Aj1); 
if any of the above verifications is not satisfied then halt; 
if Go G1 then randomly choose a bit g; 
if Go# Gi then 
compute bit b and permutation @ such that H = 6(G,) and set g = b; 
set Lo = H and Li = Gy; 
uniformly choose a bit ¢ and a permutation 7 and set T = 7(Lt); 
(Lo, L1),T. 
Uniformly choose a bit J; 
l. 
If] =t then set p=7T; 
if 1 = 1—t then compute p such that T = p(Li); 
p. 
Check that T = p(L1). 


Figure 4: A result-indistinguishable transfer of decision for GI 


case Go ¥G and assume that V accepts. Then notice that V outputs (ACCEPT,0) 
only when it holds that g; = b;, for at least 2n values of 7 € {1,...,3n}; how- 
ever, since Go + G}, and the subprotocol in the second phase of (P,V) is witness- 
indistinguishable, bit b; cannot be computed by any P’ better than by random 
guessing. Therefore, for any P’, the probability that g; = b;, for at least 2n values 
of index i, is smaller than n~°, for any constant c (using Chernoff bounds). Now, 
consider case G'p 5G and assume that V accepts. Then notice that V outputs (AC- 
CEPT,1) only when it holds that g; 4 b;, for at least n values of i € {1,...,3n}; 
however, since Go > G1, the statements Lig + Lj, for all i such that g; 4 b;, are 
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all false, and thus the probability that V accepts in this case is smaller than n~°, 


for all constants c (using Chernoff bounds). 


Perfect zero-knowledge. Now we informally describe a simulator Sy such that, 
for all pairs (Go, G1), the probability spaces Sy) (Go, G1) and Viewy(Go, G1) are 
equal. Since protocol (P,V) is constructed as a sequential repetition of an atomic 
protocol, it will be enough to describe the program of Sy, simulating only such 
atomic protocol (in this description we will also omit the index of messages denot- 
ing the number of iteration). 

The algorithm Sy:. First of all Sy: feeds V’ with a uniformly chosen random tape 
R; then he receives from V’ graph H and the witness-indistinguishable proof of 
knowledge certifying that this graph has been correctly constructed (during this 
proof, Sy, acts as a verifier of such proof and can run P’s program, since it can 
be performed in polynomial time). Now, if the proof is not convincing then Sy, 
outputs the conversation obtained so far, and halts. If the proof is convincing and 
xver(Go, G1) = 1 then Sy’ runs the extractor for the proof of knowledge in order 
to compute bit 6 and permutation 3 such that H = 6(G,). Now, Sy can compute 
pair (Zo, £1) as follows: graph Lo is computed as done by P in the protocol (i.e., 
Lo = H), and graph L, is computed as uniformly chosen among graphs isomorphic 
to G» if xer(Go, Gi) = 1 or isomorphic to G, for some random bit g, otherwise. 
Now, the remaining steps of Sy consist of simulating the atomic proof by P that 
[Lo L,, and can simulated by using the rewinding technique, as follows. First Sy, 
computes a graph T uniformly among those isomorphic to L;, for some random 
bit ¢; then he receives bit 1 from V’; now, if t =1 then Sy sends the permutation 
between T and L;, otherwise he rewinds V’ until after he has computed graphs 
Lo, £1 and tries again until t = |. Finally Sy, outputs the conversation obtained. 

To prove that the perfect zero-knowledge requirement is satisfied, we need to 
show that algorithm Sy: is expected polynomial time, and his output Sy/(Go, G1) 
is identically distributed to Viewy/(Go, G1), for all input pairs (Go, G1). 

To see that algorithm Sy, runs in expected polynomial time, we observe 
that Sy only runs polynomial-time instructions and the extractor for the proof of 
knowledge by V’, which runs in expected polynomial time. Also, when simulating 
the third phase of (P,V), the simulation is iterated with probability at most 1/2. 

Now we show that for all pairs (Go,G1) and any V’, the distributions 
Sv/(Go,G1) and Viewy(Go, G1) are equal. Clearly the verifier’s random tape is 
uniformly distributed in both spaces and the messages sent by the verifier are com- 
puted equally in both spaces. Now, let us consider the messages sent by the prover. 
It is simple to check that the random bits sent by the prover during the executions 
of the witness-indistinguishable subprotocol executed in the second phase of (P,V) 
are also computed in the same way in both spaces. This is true also for graphs 
Lo, £, and for the other messages of P. 


Perfect result-indistinguishability. To prove this property, we exhibit an efficient 
simulator M such that, on input (Go, G1), outputs a probability space M(Go, G1) 
which is equal to the view of an observer C of the conversation during the execution 
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of the protocol (P,V) on input Go, G1. In this case a description for the atomic 
protocol (A,B) suffices. Informally, first M simulates the first two phases of (P,V) 
by executing the same instructions by P and V. That is, he will compute a graph 
Has H = G(G,) for random 6 and @, and simulate the witness-indistinguishable 
proof that H has been correctly constructed, using b, 3. Now, the simulator M 
computes graphs Lo, LZ; as follows: Lo is set equal to H, and Ly; is uniformly 
chosen among the graphs isomorphic to Gy. Now, M simulates the proof by P 
that LI is isomorphic to Ly, as follows: he chooses T uniformly among graphs 
isomorphic to L;, for some random bit t, sets the message by the verifier equal to 
bit t, and sets the final message by P equal to the permutation between T and 
L,. The probability spaces M(Go, G1) and (P,V)-View(Go, Gi) are equal for any 
(Go, G1). 
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Provable Security for Public Key Schemes 


David Pointcheval 


Abstract. Since the appearance of public-key cryptography in the Diffie-Hell- 
man seminal paper, many schemes have been proposed, but many have been 
broken. Indeed, for a long time, the simple fact that a cryptographic algorithm 
had withstood cryptanalytic attacks for several years was considered as a kind 
of validation. But some schemes took a long time before being widely studied, 
and maybe thereafter being broken. 

A much more convincing line of research has tried to provide “prov- 
able” security for cryptographic protocols, in a complexity theory sense: if 
one can break the cryptographic protocol, one can efficiently solve the un- 
derlying problem. Unfortunately, this initially was a purely theoretical work: 
very few practical schemes could be proven in this so-called “standard model” 
because such a security level rarely meets with efficiency. Ten years ago, Bel- 
lare and Rogaway proposed a trade-off to achieve some kind of validation 
of efficient schemes, by identifying some concrete cryptographic objects with 
ideal random ones. The most famous identification appeared in the so-called 
“random-oracle model”. More recently, another direction has been taken to 
prove the security of efficient schemes in the standard model (without any 
ideal assumption) by using stronger computational assumptions. 

In these lectures, we focus on practical asymmetric protocols together 
with their “reductionist” security proofs, mainly in the random-oracle model. 
We cover the two main goals that public-key cryptography is devoted to solve: 
authentication with digital signatures, and confidentiality with public-key en- 
cryption schemes. 


1. Introduction 


Since the beginning of public-key cryptography, with the seminal Diffie-Hellman 
paper [25], many suitable algorithmic problems for cryptography have been pro- 
posed and many cryptographic schemes have been designed, together with more 
or less heuristic proofs of their security relative to the intractability of the above 
problems. However, most of those schemes have thereafter been broken. 
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The simple fact that a cryptographic algorithm withstood cryptanalytic at- 
tacks for several years has often been considered as a kind of validation procedure, 
but some schemes take a long time before being broken. An example is the Chor- 
Rivest cryptosystem [21, 48], based on the knapsack problem, which took more 
than 10 years to be totally broken [86], whereas before this attack it was believed 
to be strongly secure. As a consequence, the lack of attacks at some time should 
never be considered as a security validation of the proposal. 


1.1. Provable Security 


A completely different paradigm is provided by the concept of “provable” secu- 
rity. A significant line of research has tried to provide proofs in the framework of 
complexity theory (a.k.a. “reductionist” security proofs [4]): the proofs provide re- 
ductions from a well-studied problem (RSA or the discrete logarithm) to an attack 
against a cryptographic protocol. 

At the beginning, people just tried to define the security notions required by 
actual cryptographic schemes, and then to design protocols which achieve these no- 
tions. The techniques were directly derived from the complexity theory, providing 
polynomial reductions. However, their aim was essentially theoretical. They were 
indeed trying to minimize the required assumptions on the primitives (one-way 
functions or permutations, possibly trapdoor, etc) [37, 35, 52, 71] without consid- 
ering practicality. Therefore, they just needed to design a scheme with polynomial 
algorithms, and to exhibit polynomial reductions from the basic assumption on the 
primitive into an attack of the security notion, in an asymptotic way. However, 
such a result has no practical impact on actual security. Indeed, even with a poly- 
nomial reduction, one may be able to break the cryptographic protocol within a 
few hours, whereas the reduction just leads to an algorithm against the underlying 
problem which requires many years. Therefore, those reductions only prove the se- 
curity when very huge (and thus maybe unpractical) parameters are in use, under 
the assumption that no polynomial time algorithm exists to solve the underlying 
problem. 


1.2. Exact Security and Practical Security 


For a few years, more efficient reductions have been expected, under the denom- 
inations of either “exact security” [12] or “concrete security” [58], which provide 
more practical security results. The perfect situation is reached when one manages 
to prove that, from an attack, one can describe an algorithm against the under- 
lying problem, with almost the same success probability within almost the same 
amount of time. We have then achieved “practical security” . 

Unfortunately, in many cases, even just provable security is at the cost of an 
important loss in terms of efficiency for the cryptographic protocol. Thus some 
models have been proposed, trying to deal with the security of efficient schemes: 
some concrete objects are identified with ideal (or black-box) ones. 

For example, it is by now usual to identify hash functions with ideal random 
functions, in the so-called “random-oracle model”, informally introduced by Fiat 
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and Shamir [28], and formalized by Bellare and Rogaway [10]. Similarly, block 
ciphers are identified with families of truly random permutations in the “ideal 
cipher model” [9]. A few years ago, another kind of idealization was introduced 
in cryptography, the black-box group [53, 80], where the group operation, in any 
algebraic group, is defined by a black-box: a new element necessarily comes from 
the addition (or the subtraction) of two already known elements. It is by now 
called the “generic model”. Recent works [77, 18] even require several ideal models 
together to provide some new validations. 


1.3. Outline of the Notes 


In the next section, we explain and motivate more about exact security proofs, and 
we introduce the notion of the weaker security analyses, the security arguments 
(in an ideal model, and namely the random-oracle model). Then, we review the 
formalism of the most important asymmetric primitives: signatures and public- 
key encryption schemes. For both, we provide some examples, with some security 
analyses in the “reductionist” sense. 


1.4. Related Work 


These notes present a survey, based on several published papers, from the author, 
with often several co-authors: about signature [67, 69, 68, 17, 84], encryption [7, 
3, 62, 59, 32, 33] and provably secure constructions [61, 63, 65, 64, 66]. Many 
other papers are also cited and rephrased, which present efficient provably secure 
constructions. Among the bibliography list presented at the end, we would like to 
insist on [10, 11, 12, 22, 82, 83]. We thus refer the reader to the original papers for 
more details. 


2. Security Proofs and Security Arguments 


2.1. Computational Assumptions 


In both symmetric and asymmetric scenarios, many security notions can not be 
unconditionally guaranteed (whatever the computational power of the adversary). 
Therefore, security generally relies on a computational assumption: the existence 
of one-way functions, or permutations, possibly trapdoor. A one-way function is 
a function f which anyone can easily compute, but given y = f(x) it is computa- 
tionally intractable to recover x (or any pre-image of y). A one-way permutation 
is a bijective one-way function. For encryption, one would like the inversion to be 
possible for the recipient only: a trapdoor one-way permutation is a one-way per- 
mutation for which a secret information (the trapdoor) helps to invert the function 
on any point. 

Given such objects, and thus computational assumptions about the intract- 
ability of the inversion without possible trapdoors, we would like that security 
could be achieved without extra assumptions. The only way to formally prove 
such a fact is by showing that an attacker against the cryptographic protocol can 
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be used as a sub-part in an algorithm that can break the basic computational 
assumption. 

A partial order therefore exists between computational assumptions (and 
intractable problems too): if a problem P is more difficult than the problem P’ 
(P’ reduces to P, see below) then the assumption of the intractability of the 
problem P is weaker than the assumption of the intractability of the problem P’. 
The weaker the required assumption is, the more secure the cryptographic scheme 
is. 


2.2. “Reductionist” Security Proofs 


In complexity theory, such an algorithm which uses the attacker as a sub-part in 
a global algorithm is called a reduction. If this reduction is polynomial, we can 
say that the attack of the cryptographic protocol is at least as hard as inverting 
the function: if one has a polynomial algorithm to solve the latter problem, one 
can polynomially solve the former one. In the complexity theory framework, a 
polynomial algorithm is the formalization of effictency. 

Therefore, in order to prove the security of a cryptographic protocol, one first 
needs to make precise the security notion one wants the protocol to achieve: which 
adversary’s goal one wants to be intractable, under which kind of attack. At the 
beginning of the 1980’s, such security notions have been defined for encryption [35] 
and signature [37, 38], and provably secure schemes have been suggested. However, 
those proofs had a theoretical impact only, because both the proposed schemes and 
the reductions were completely unpractical, yet polynomial. The reductions were 
indeed efficient (i.e. polynomial), and thus a polynomial attack against a cryp- 
tosystem would have led to a polynomial algorithm that broke the computational 
assumption. But the latter algorithm, even polynomial, may require hundreds of 
years to solve a small instance. 

For example, let us consider a cryptographic protocol based on integer factor- 
ing. Let us assume that one provides a polynomial reduction from the factorization 
into an attack. But such a reduction may just lead to a factorization algorithm 
with a complexity in 27°k!°, where k is the bit-size of the integer to factor. This 
indeed contradicts the assumption that no-polynomial algorithm exists for fac- 
toring. However, on a 1024-bit number (k = 21°), it provides an algorithm that 
requires 2!° basic operations, which is much more than the complexity of the best 
current algorithm, such as NFS [46], which needs less than 21° (see Section 4). 
Therefore, such a reduction would just be meaningful for numbers above 4096 bits 
(since with k = 2!7, 245 < 2149 where 2149 is the estimate effort for factoring a 
4096-bit integer with the best algorithm.) Concrete examples are given later. 


2.3. Practical Security 


Moreover, most of the proposed schemes were unpractical as well. Indeed, the pro- 
tocols were polynomial in time and memory, but not efficient enough for practical 
implementation. 


Provable Security for Public Key Schemes 137 


For a few years, people have tried to provide both practical schemes, with 
practical reductions and exact complexity, which prove the security for realis- 
tic parameters, under a well-defined assumption: exact reduction in the standard 
model (which means in the complexity-theoretic framework). For example, under 
the assumption that a 1024-bit integer cannot be factored with less than 27° basic 
operations, the cryptographic protocol cannot be broken with less than 2°° basic 
operations. We will see such an example later. 

Unfortunately, as already remarked, practical or even just efficient reductions 
in the standard model can rarely be conjugated with practical schemes. Therefore, 
one needs to make some hypotheses on the adversary: the attack is generic, inde- 
pendent of the actual implementation of some objects 


e hash functions, in the “random-oracle model” ; 
e symmetric block ciphers, in the “ideal-cipher model” ; 
e algebraic groups, in the “generic model”. 


The “random-oracle model” was the first to be introduced in the cryptographic 
community [28, 10], and has already been widely accepted. By the way, flaws have 
been shown in the “generic model” [84] on practical schemes, and the “random- 
oracle model” is not equivalent to the standard one either. Several gaps have al- 
ready been exhibited [19, 54, 6]. However, all the counter-examples in the random- 
oracle model are pathological, counter-intuitive and not natural. Therefore, in the 
sequel, we focus on security analyses in this model, for real and natural construc- 
tions. A security proof in the random-oracle model will at least give a strong ar- 
gument in favor of the security of the scheme. Furthermore, proofs in the random- 
oracle model under a weak computational assumption may be of more pratical 
interest than proofs in the standard model under a strong computational assump- 
tion. 


2.4. The Random-Oracle Model 


As said above, efficiency rarely meets with provable security. More precisely, none 
of the most efficient schemes in their category have been proven secure in the 
standard model. However, some of them admit security validations under ideal 
assumptions: the random-oracle model is the most widely accepted one. 

Many cryptographic schemes use a hash function H (such as MD5 [72] or the 
American standards SHA-1 [56], SHA-256, SHA-384 and SHA-512 [57]). This use 
of hash functions was originally motivated by the wish to sign long messages with a 
single short signature. In order to achieve non-repudiation, a minimal requirement 
on the hash function is the impossibility for the signer to find two different messages 
providing the same hash value. This property is called collision-resistance. 

It was later realized that hash functions were an essential ingredient for the 
security of, first, signature schemes, and then of most cryptographic schemes. In 
order to obtain security arguments, while keeping the efficiency of the designs 
that use hash functions, a few authors suggested using the hypothesis that H 
behaves like a random function. First, Fiat and Shamir [28] applied it heuristically 
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to provide a signature scheme “as secure as” factorization. Then, Bellare and 
Rogaway [10, 11, 12] formalized this concept for cryptography, and namely for 
signature and public-key encryption. 

In this model, the so-called “random-oracle model”, the hash function can be 
formalized by an oracle which produces a truly random value for each new query. 
Of course, if the same query is asked twice, identical answers are obtained. This 
is precisely the context of relativized complexity theory with “oracles,” hence the 
name. 

About this model, no one has ever been able to provide a convincing con- 
tradiction to its practical validity, but just theoretical counter-examples on either 
clearly wrong designs for practical purpose [19], or artificial security notions [54, 6]. 
Therefore, this model has been strongly accepted by the community, and is con- 
sidered as a good one, in which security analyses give a good taste of the actual 
security level. Even if it does not provide a formal proof of security (as in the 
standard model, without any ideal assumption), it is argued that proofs in this 
model ensure security of the overall design of the scheme provided that the hash 
function has no weakness, hence the name “security arguments”. 

This model can also be seen as a restriction on the adversary’s capabilities. In- 
deed, it simply means that the attack is generic without considering any particular 
instantiation of the hash functions. Therefore, an actual attack would necessarily 
use a weakness or a specific feature of the hash function. The replacement of the 
hash function by another one would rule out this attack. 

On the other hand, assuming the tamper-resistance of some devices, such as 
smart cards, the random-oracle model is equivalent to the standard model, which 
simply requires the existence of pseudo-random functions [34, 51]. 

As a consequence, almost all the standards bodies by now require designs 
provably secure, at least in that model, thanks to the security validation of very 
efficient protocols. 


2.5. The General Framework 


Before going into more details of this kind of proofs, we would like to insist on the 
fact that in the current general framework, we give the adversary complete access 
to the cryptographic primitive, but as a black-box. It can ask any query of its 
choice, and the box always answers correctly, in constant time. Such a model does 
not consider timing attacks [44], where the adversary tries to extract the secrets 
from the computational time. Some other attacks analyze the electrical energy 
required by a computation to get the secrets [45], or to make the primitive fail on 
some computation [13, 16]. They are not captured either by this model. 


3. A First Formalism 


In this section we describe more formally what a signature scheme and an encryp- 
tion scheme are. Moreover, we make precise the security notions one wants the 
schemes to achieve. This is the first imperative step towards provable security. 
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3.1. Digital Signature Schemes 


Digital signature schemes are the electronic version of handwritten signatures for 
digital documents: a user’s signature on a message m is a string which depends 
on m, on public and secret data specific to the user and —possibly— on randomly 
chosen data, in such a way that anyone can check the validity of the signature by 
using public data only. The user’s public data are called the public key, whereas 
his secret data are called the private key. The intuitive security notion would be 
the impossibility to forge user’s signatures without the knowledge of his private 
key. In this section, we give a more precise definition of signature schemes and of 
the possible attacks against them (most of those definitions are based on [38}]). 


3.1.1. Definitions. A signature scheme S = (K,S,V) is defined by the three fol- 
lowing algorithms: 


e The key generation algorithm K. On input 1*, which is a formal notation 
for a machine with running time polynomial in k (1* is indeed k in basis 1), 
the algorithm K produces a pair (pk,sk) of matching public and private keys. 
Algorithm K is probabilistic. The input k is called the security parameter. The 
sizes of the keys, or of any problem involved in the cryptographic scheme, will 
depend on it, in order to achieve an appropriate security level (the expected 
minimal time complexity of any attack). 

e The signing algorithm S. Given a message m and a pair of matching public 
and private keys (pk,sk), S produces a signature o. The signing algorithm 
might be probabilistic. 

e The verification algorithm V. Given a signature 0, a message m and a public 
key pk, V tests whether o is a valid signature of m with respect to pk. In 
general, the verification algorithm need not be probabilistic. 


3.1.2. Forgeries and Attacks. In this subsection, we formalize some security no- 
tions which capture the main practical situations. On the one hand, the goals of 
the adversary may be various: 


e Disclosing the private key of the signer. It is the most serious attack. This 
attack is termed total break. 

e Constructing an efficient algorithm which is able to sign messages with good 
probability of success. This is called universal forgery. 

e Providing a new message-signature pair. This is called existential forgery. 
The corresponding security level is called existential unforgeability (EUF). 


In many cases the latter forgery, the existential forgery, is not dangerous because 
the output message is likely to be meaningless. Nevertheless, a signature scheme 
which is existentially forgeable does not guarantee by itself the identity of the 
signer. For example, it cannot be used to certify randomly looking elements, such 
as keys. Furthermore, it cannot formally guarantee the non-repudiation property, 
since anyone may be able to produce a message with a valid signature. 
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On the other hand, various means can be made available to the adversary, 
helping it into its forgery. We focus on two specific kinds of attacks against signa- 
ture schemes: the no-message attacks and the known-message attacks (KMA). In 
the former scenario, the attacker only knows the public key of the signer. In the 
latter, the attacker has access to a list of valid message-signature pairs. Accord- 
ing to the way this list was created, we usually distinguish many subclasses, but 
the strongest is definitely the adaptive chosen-message attack (CMA), where the 
attacker can ask the signer to sign any message of its choice, in an adaptive way: 
it can adapt its queries according to previous answers. 

When signature generation is not deterministic, there may be several signa- 
tures corresponding to a given message. And then, some notions defined above may 
become ambiguous [84]. First, in known-message attacks, an existential forgery 
becomes the ability to forge a fresh message/signature pair that has not been 
obtained during the attack. There is a subtle point here, related to the context 
where several signatures may correspond to a given message. We actually adopt 
the stronger rule that the attacker needs to forge the signature of message, whose 
signature was not queried. The more liberal rule, which makes the attacker suc- 
cessful when it outputs a second signature of a given message different from a 
previously obtained signature of the same message, is called malleability, while the 
corresponding security level is called non-malleability (NM). Similarly, in adaptive 
chosen-message attacks, the adversary may ask several times the same message, 
and each new answer gives it some information. A slightly weaker security model, 
by now called single-occurrence adaptive chosen-message attack (SO-CMA), allows 
the adversary at most one signature query for each message. In other words the 
adversary cannot submit the same message twice for signature. 

When one designs a signature scheme, one wants to computationally rule 
out at least existential forgeries, or even achieve non-malleability, under adaptive 
chosen-message attacks. More formally, one wants that the success probability of 
any adversary A with a reasonable time is small, where 


Succé* (A) = Pr | (pk, sk) — K(1*), (m,o) — A®*(pk) : V(pk,m,o) =1 |]. 


We remark that since the adversary is allowed to play an adaptive chosen- 
message attack, the signing algorithm is made available, without any restriction, 
hence the oracle notation A°*. Of course, in its answer, there is the natural re- 
striction that, at least, the returned message-signature has not been obtained from 
the signing oracle S,, itself (non-malleability) or even the output message has not 
been queried (existential unforgeability). 


3.2. Public-Key Encryption 


The aim of a public-key encryption scheme is to allow anybody who knows the 
public key of Alice to send her a message that she will be the only one able to 
recover, granted her private key. 


3.2.1. Definitions. A public-key encryption scheme S = (K,€,D) is defined by the 
three following algorithms: 
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e The key generation algorithm K. On input 1* where k is the security parame- 
ter, the algorithm K produces a pair (pk,sk) of matching public and private 
keys. Algorithm K is probabilistic. 

e The encryption algorithm E€. Given a message m and a public key pk, € 
produces a ciphertext c of m. This algorithm may be probabilistic. In the 
latter case, we write E,.(m;r) where r is the random input to €. 

e The decryption algorithm D. Given a ciphertext c and the private key sk, 
Dsx(c) gives back the plaintext m. This algorithm is necessarily deterministic. 


3.2.2. Security Notions. As for signature schemes, the goals of the adversary may 
be various. The first common security notion that one would like for an encryption 
scheme is one-wayness (OW): with just public data, an attacker cannot get back 
the whole plaintext of a given ciphertext. More formally, this means that for any 
adversary A, its success in inverting € without the private key should be negligible 
over the probability space M x Q, where M is the message space and 1? is the space 
of the random coins r used for the encryption scheme, and the internal random 
coins of the adversary: 


Succe” (A) = Prl[(pk, sk) — K(1*) : A(pk, Epx(m;r)) = mJ. 


However, many applications require more from an encryption scheme, namely the 
semantic security (IND) [35], a.k.a. polynomial security/indistinguishability of en- 
cryptions: if the attacker has some information about the plaintext, for example 
that it is either “yes” or “no” to a crucial query, any adversary should not learn 
more with the view of the ciphertext. This security notion requires computational 
impossibility to distinguish between two messages, chosen by the adversary, which 
one has been encrypted, with a probability significantly better than one half: its 
advantage Advi“(A), formally defined as 


2x Pr (pk, sk) a, KCL), (mo,m1, s) = Ai (pk), 


—1 
br | C= Epx(ms; 7) : Ao(mo, m1, $,c) = 6 , 


where the adversary A is seen as a 2-stage attacker (A1,.A2), should be negligible. 

A later notion is non-malleability (NM) [26]. To break it, the adversary, given 
a ciphertext, tries to produce a new ciphertext such that the plaintexts are mean- 
ingfully related. This notion is stronger than the above semantic security, but it is 
equivalent to the latter in the most interesting scenario [7] (the CCA attacks, see 
below). Therefore, we will just focus on one-wayness and semantic security. 

On the other hand, an attacker can play many kinds of attacks, according 
to the available information: since we are considering asymmetric encryption, the 
adversary can encrypt any plaintext of its choice, granted the public key, hence 
the chosen-plaintext attack (CPA). It may furthermore have access to additional 
information, modeled by partial or full access to some oracles: 


e A validity-checking oracle which, on input a ciphertext c, answers whether 
it is a valid ciphertext or not. Such a weak oracle, involved in the so-called 
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reaction attacks [39] or Validity-Checking Attack (VCA), had been enough to 

break some famous encryption schemes [15, 42]. 

e A plaintext-checking oracle which, on input a pair (m,c), answers whether c 
encrypts the message m. This attack has been termed the Plaintext-Checking 
Attack (PCA) [59]. 

e The decryption oracle itself, which on any ciphertext answers the correspond- 
ing plaintext. There is of course the natural restriction not to ask the challenge 
ciphertext to that oracle. 

For all these oracles, access may be restricted as soon as the challenge ciphertext 
is known, the attack is thus said non-adaptive since oracle queries cannot depend 
on the challenge ciphertext, while they depend on previous answers. On the oppo- 
site, access can be unlimited and attacks are thus called adaptive attacks (w.r.t. 
the challenge ciphertext). This distinction has been widely used for the chosen- 
ciphertext attacks, for historical reasons: the non-adaptive chosen-ciphertext at- 
tacks (CCA1) [52], a.k.a. lunchtime attacks, and adaptive chosen-ciphertezt at- 
tacks (CCA2) [71]. The latter scenario which allows adaptively chosen ciphertexts 
as queries to the decryption oracle is definitely the strongest attack, and will be 
named the chosen-cipherteat attack (CCA). 

Furthermore, multi-user scenarios can be considered where related messages 
are encrypted under different keys to be sent to many people (e.g. broadcast of 
encrypted data). This may provide many useful data for an adversary. For ex- 
ample, RSA is well-known to be weak in such a scenario [40, 79], namely with a 
small encryption exponent, because of the Chinese Remainders Theorem. But once 
again, semantic security has been shown to be the appropriate security level, since 
it automatically extends to the multi-user setting: if an encryption scheme is se- 
mantically secure in the classical sense, it is also semantically secure in multi-user 
scenarios, against both passive [3] and active [5] adversaries. 

A general study of these security notions and attacks was conducted in [7], 
we therefore refer the reader to this paper for more details. See also the summary 
diagram on Figure 1. However, we can just review the main scenarios we will 
consider in the following: 

e one-wayness under chosen-plaintext attacks (OW-CPA) — where the adversary 
wants to recover the whole plaintext from just the ciphertext and the public 
key. This is the weakest scenario. 

e semantic security under adaptive chosen-ciphertext attacks (IND-CCA) — 
where the adversary just wants to distinguish which plaintext, between two 
messages of its choice, has been encrypted, while it can ask any query it wants 
to a decryption oracle (except the challenge ciphertext). This is the strongest 
scenario one can define for encryption (still in our general framework.) Thus, 
this is our goal when we design a cryptosystem. 
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NM-CPA —~« NM-CCA 





IND-CPA —~« IND-CCA 





OW-CPA ~—& OW-VCA ~— OW-PCA ~&  OW-CCA 


OW — One-Wayness — Chosen-Plaintext Attack 
IND — Indistinguishability — Validity-Checking Attack 


(a.k.a. Semantic Security) (a.k.a. Reaction Attack) 
NM — Non-Malleability — Plaintext-Checking Attack 
— Chosen-Ciphertext Attack 





FIGURE 1. Relations between the Security Notions for Asymmet- 
ric Encryption 


4. The Computational Assumptions 


There are two major families in number theory-based public-key cryptography: 


1. the schemes based on integer factoring, and on the RSA problem [73]; 

2. the schemes based on the discrete logarithm problem, and on the Diffie- 
Hellman problems [25], in any “suitable” group. The first groups in use were 
cyclic subgroups of Zi, the multiplicative group of the modular quotient 
ring Z, = Z/pZ. But many schemes are now converted on cyclic subgroups 
of elliptic curves, or of the Jacobian of hyper-elliptic curves, with namely 
the so-called ECDSA [1], the US Digital Signature Standard [55] on elliptic 


curves. 


4.1. Integer Factoring and the RSA Problem 


The most famous intractable problem is factorization of integers: while it is easy 
to multiply two prime integers p and q to get the product n = p-q, it is not simple 
to decompose n into its prime factors p and q. 

Currently, the most efficient algorithm is based on sieving on number fields. 
The Number Field Sieve (NFS) method [46] has a super-polynomial, but sub- 
exponential, complexity in O(exp((1.923 + 0(1))(Inn)!/3(In In n)?/3)). It has been 
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used to establish the main record, in august 1999, by factoring a 155-digit integer 
(512 bits), product of two 78-digit primes [20]. The factored number, called RSA- 
155, was taken from the “RSA Challenge List”, which is used as a yardstick for 
the security of the RSA cryptosystem (see later). The latter is used extensively 
in hardware and software to protect electronic data traffic such as in the SSL 
(Security Sockets Layer) Handshake Protocol. 

This record is very important since 155 digits correspond to 512 bits. And 
this is the size which is in use in almost all the implementations of the RSA 
cryptosystem (namely for actual implementations of SSL on the Internet). 

RSA-155 = 
109417386415705274218097073220403576120\ 
037329454492059909138421314763499842889\ 
347847179972578912673324976257528997818\ 
33797076537244027 146743531593354333897 

= 102639592829741105772054196573991675900\ 
716567808038066803341933521790711307779 

* 106603488380168454820927220360012878679\ 
20795857598929 1522270608237 193062808643 

Unfortunately, integer multiplication just provides a one-way function, with- 
out any possibility to invert the process. No information is known to make factoring 
easier. However, some algebraic structures are based on the factorization of an in- 
teger n, where some computations are difficult without the factorization of n, but 
easy with it: the finite quotient ring Z,, which is isomorphic to the product ring 
Ly X Lg ifn = p- gq. 

For example, the e-th power of any element x can be easily computed using 
the square-and-multiply method. It consists in using the binary representation of 
the exponent e = exep_1...€9, computing the successive 2 powers of x (2°, x’, 
ae a’) and eventually to multiply altogether the ones for which e; = 1. However, 
to compute e-th roots, it seems that one requires to know an integer d such that 
ed = 1 mod y(n), where y(n) is the totient Euler function which denotes the 
cardinality of the multiplicative subgroup Z* of Z,,. In the particular case where 
n = pq, p(n) = (p—1)(q—1). And therefore, ed — 1 is a multiple of y(n) which is 
equivalent to the knowledge of the factorization of n [50]. In 1978, Rivest, Shamir 
and Adleman [73] defined the following problem: 


The RSA Problem. Let n = pq be the product of two large primes 
of similar size and e an integer relatively prime to y(n). For a given 
y € Z*, compute the modular e-th root x of y (i.e. x € Z* such 


that «® = y mod n.) 


The Euler function can be easily computed from the factorization of n, since for 


any n = |[p;", 
e(n) =n xT] (1-=). 
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Therefore, with the factorization of n (the trapdoor), the RSA problem can be 
easily solved. But nobody knows whether the factorization is required, and how 
to do without it either: 


The RSA Assumption. For any product of two primes, n = pq, 
large enough, the RSA problem is intractable (presumably as hard 
as the factorization of n). 


4.2. The Discrete Logarithm and the Diffie-Hellman Problems 
The setting is quite general: one is given 
e acyclic group G of prime order g (such as the finite group (Z,, +), a subgroup 
of (Z5, x) for q|p — 1, of an elliptic curve, etc); 
e a generator g (i.e. G = (g)). 


We note in bold (such as g) any element of the group G, to distinguish it from a 
scalar x € Z. But such a g could be an element in Z> or a point of an elliptic 
curve, according to the setting. Above, we talked about a “suitable” group G. In 
such a group, some of the following problems have to be hard to solve (using the 
additive notation): 


e the Discrete Logarithm problem (DL): given y € G, compute x € Z, such 
that y=x-g=g+...+g (x times), then one writes xz = log, y. 

e the Computational Diffie-Hellman problem (CDH): given two elements in 
the group G, a= a-g and b = b-g, compute c = ab- g. Then one writes 
c = DH(a,b). 

e the Decisional Diffie-Hellman Problem (DDH): given three elements in the 
group G,a=a-g,b=b-g and c=c-g, decide whether c = DH(a,b) (or 
equivalently, whether c = ab mod q). 


It is clear that they are sorted from the strongest problem to the weakest one. 
Furthermore, one may remark that they all are “random self-reducible”, which 
means that any instance can be reduced to a uniformly distributed instance: for 
example, given a specific element y for which one wants to compute the discrete 
logarithm x in basis g, one can choose a random z € Z,, and compute z = z-y. 
The element z is therefore uniformly distributed in the group, and the discrete 
logarithm a = log, z leads to x = a/z mod q. As a consequence, there are only 
average complexity cases. Thus, the ability to solve a problem for a non-negligible 
fraction of instances in polynomial time is equivalent to solve any instance in 
expected polynomial time. 

A new variant of the Diffie-Hellman problem has more recently been de- 
fined by Tatsuaki Okamoto and the author [60], the so-called Gap Diffie-Hellman 
Problem (GDH), where one wants to solve the CDH problem with an access to a 
DDH oracle. One may easily remark the following properties about above prob- 
lems: DL > CDH > {DDH, GDH}, where A > B means that the problem A is at 
least as hard as the problem B. However, in practice, no one knows how to solve 
any of them without breaking the DL problem itself. 
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Currently, the most efficient algorithms to solve the latter problem depend on 
the underlying group. For generic groups (for which no specific algebraic property 
can be used), algorithms have a complexity in the square root of g, the order of 
the generator g [78, 70]. For example, on well-chosen elliptic curves only these 
algorithms can be used. The last record was established in April 2001 on the curve 
defined by the equation y?+ay = 2°+2x?+1 over the finite field with 2!°9 elements. 
However, for subgroups of Z7, some better techniques can be applied. The 
best algorithm is based on sieving on number fields, as for the factorization. 
The General Number Field Sieve method [41] has a super-polynomial, but sub- 
exponential, complexity in O(exp((1.923 + 0(1)) (In p)!/3(In In p)?/8)). It was used 
to establish the last record, in April 2001 as well, by computing discrete logarithms 
in Zy, for a 120-digit prime p. Therefore, 512-bit primes are still safe enough, as 
far as the generic attacks cannot be used (the generator must be of large order q, 
at least a 160-bit prime) 

For signature applications, one only requires groups where the DL problem is 
hard, whereas encryption needs trapdoor problems and therefore requires groups 
where some of the DH’s problems are also hard to solve. 


5. Digital Signature Schemes 


Until 1996, no practical DI-based cryptographic scheme has ever been formally 
studied, but heuristically only. And surprisingly, at the Eurocrypt ’96 conference, 
two opposite studies were conducted on the El Gamal signature scheme [27], the 
first DL-based signature scheme designed in 1985 and depicted on Figure 2. 


g a generator of Zi, 
where p is a large prime 

= (p,9) 

private key «ce Zi_, 

public key y= 4g* mod p 
= 2) 
K is randomly chosen in Z}_, 
r=g*modp s=(m-—ar)/K modp—-1 
— (r,s) is a signature of m 


Y: Verification of (m,r, s) 


check whether g”™ as y'’r® mod p 
— Yes/No 





FIGURE 2. The El Gamal Signature Scheme. 
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Whereas existential forgeries were known for that scheme, it was believed 
to prevent universal forgeries. The first analysis, from Daniel Bleichenbacher [14], 
showed such a universal forgery when the generator g is not properly chosen. The 
second one, from Jacques Stern and the author [67], proved the security against 
existential forgeries under adaptive chosen-message attacks of a slight variant with 
a randomly chosen generator g. The latter variant simply replaces the message m 
by H(m,r) in the computation, while one uses a hash function 1 that is assumed 
to behave like a random oracle. It is amazing to remark that the Bleichenbacher’s 
attack also applies on our variant. Therefore, depending on the initialization, our 
variant could be a very strong signature scheme or become a very weak one! 

As a consequence, a proof has to be performed in details, with precise assump- 
tions and achievements. Furthermore, the conclusions have to be strictly followed 
by developers, otherwise the concrete implementation of a secure scheme can be 
very weak. 


5.1. Provable Security 


The first secure signature scheme was proposed by Goldwasser et al. [37] in 1984. 
It used the notion of claw-free permutations. A pair of permutations (f,g) is said 
claw-free if it is computationally impossible to find a claw (x,y), which satisfies 
f(x) = g(y). Their proposal provided polynomial algorithms with a polynomial re- 
duction between the research of a claw and an existential forgery under an adaptive 
chosen-message attack. However, the scheme was totally unpractical. What about 
practical schemes? 


5.1.1. The RSA Signature Scheme. Two years after the Diffie-Hellman paper [25], 
Rivest, Shamir and Adleman [73] proposed the first signature scheme based on the 
“trapdoor one-way permutation paradigm”, using the RSA function: the genera- 
tion algorithm produces a large composite number N = pq, a public key e, and a 
private key d such that e-d = 1 mod y(N). The signature of a message m, encoded 
as an element in Z7%,, is its e-th root, o = m'/¢ = m4 mod N. The verification al- 
gorithm simply checks whether m = o° mod N. 

However, the RSA scheme is not secure by itself since it is subject to existen- 
tial forgery: it is easy to create a valid message-signature pair, without any help of 
the signer, first randomly choosing a certificate o and getting the signed message 
m from the public verification relation, m = 0 mod N. 


5.1.2. The Schnorr Signature Scheme. In 1986 a new paradigm for signature 
schemes was introduced. It is derived from fair zero-knowledge identification pro- 
tocols involving a prover and a verifier [36], and uses hash functions in order 
to create a kind of virtual verifier. The first application was derived from the 
Fiat-Shamir [28] zero-knowledge identification protocol, based on the hardness 
of extracting square roots, with a brief outline of its security. Another famous 
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identification scheme [75], together with the signature scheme [76], has been pro- 
posed later by Schnorr, based on that paradigm: the generation algorithm pro- 
duces two large primes p and q, such that q > 2", where k is the security para- 
meter, and g|p—1, as well as an element g in Z> of order gq. It also creates a 
pair of keys, the private key x € Zj and the public key y = g~* mod p The sig- 
nature of a message m is a triple (r,e,s), where r= g* mod p, with a random 
K € Zgq, the “challenge” e = H(m,r) and s = K + ex mod gq. The latter satisfies 
r = g°y® mod p with e = H(m,r), which is checked by the verification algorithm. 

The security results for that paradigm have been considered as folklore for a 
long time but without any formal validation. 


5.2. DL-Based Signatures 


In our papers [67, 68], with Jacques Stern, we formally proved the above paradigm 
when H is assumed to behave like a random oracle. The proof is based on the by 
now classical oracle replay technique: by a polynomial replay of the attack with 
different random oracles (the Q;’s are the queries and the p;’s are the answers), 
we allow the attacker to forge signatures that are suitably related. This generic 


(mi e4) 
A QO, ... Q; ( h ) 
m,0O1, = Pi, 7 
H pl Pj : oe 
H! Pi 





(m, O11, h' = pis 03) 
FIGURE 3. The Oracle Replay Technique 


technique is depicted on Figure 3, where the signature of a message m is a triple 
(01, h, 02), with h = H(m,o1) which depends on the message and the first part 
of the signature, both bound not to change for the computation of 02, which 
really relies on the knowledge of the private key. If the probability of fraud is 
high enough, then with good probability, the adversary is able to answer to many 
distinct outputs from the function, on the input (m, 01). 

To be more concrete, let us consider the Schnorr signature scheme, which is 
presented on Figure 4, in any “suitable” cyclic group G of prime order q, where at 
least the Discrete Logarithm problem is hard. We expect to obtain two signatures 
(vr = 01,h, 8 = 02) and (r’ = o},h’, s’ = 04) of an identical message m such that 
01 = 01, but h # h’. Thereafter, we can easily extract the discrete logarithm of 
the public key: 


r= s-g 
r= s'-g 





~ 


t ORY bs6--e-w-ay, 


which leads to log, y = (s — s’) - (h’ — h)~* mod q. 
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Initialization (security parameter k) — (G,g,H) 
g a generator of any cyclic group (G, +) 
of order q, with 2*-! < q < 2* 
H a hash function: {0,1}* — Z, 
= (G,9,H) 


K: Key Generation — (y, x) 


private key x € Zp 
public key y=-—a-g 
> (y, 2) 
K is randomly chosen in Zj 
r=K-g h=H(m,r) s=K+ahmod q 
— (r,h,s) is a signature of m 


VY: Verification of (m,r, s) 


check whether h = H(m,r) 


andr=s-:g+th-y 
— Yes/No 





FiGurRE 4. The Schnorr Signature Scheme. 


5.2.1. General Tools. First, let us recall the “Splitting Lemma” which will be the 
main probabilistic tool for the “Forking Lemma”. It translates the fact that when 
a subset A is “large” in a product space X x Y, it has many “large” sections. 


Lemma 1 (The Splitting Lemma). Let A C X x Y such that Pr[(x,y) € A] >. 
For any a < €, define 


B={(ey)EXxY| Pr (ev) eal>e-ah, 
yey 


then the following statements hold: 


(i) Pr[B] >a 
(ii) V(z,y) € B, Pryey[(z,y’) € A] > e-a. 
(iii) Pr[B| A] > a/e. 


Proof. In order to prove statement (i), we argue by contradiction, using the nota- 
tion B for the complement of B in X x Y. Assume that Pr[B] < a. Then 


é < Pr[B]-Pr[A| B] + Pr[B]- Pr[A| B] < a-14+1-(e—a) =e. 


This implies a contradiction, hence the result. 
Statement (ii) is a straightforward consequence of the definition. 
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We finally turn to the last assertion, using Bayes’ law: 


Pr[B| A] = 1—Pr[B| A] 
1 —Pr[A| B]- Pr[B]/Pr[A] > 1—-(e-a)/e=a/e. 














No-Message Attacks. The following Forking Lemma just states that the above 
oracle replay technique will often success with any good adversary. 


Theorem 1 (The Forking Lemma). Let (K,S,V) be a digital signature 
scheme with security parameter k, with a signature as above, of the form 
(m,o1,h,02), where h = H(m,o1) and og depends on o1 and h only. Let A 
be a probabilistic polynomial time Turing machine whose input only con- 


sists of public data and which can ask qn queries to the random oracle, 
with qn, > 0. We assume that, within the time bound T, A produces, with 
probability ¢ > 7qn/2*, a valid signature (m,o1,h,o2). Then, within time 
T’ < 16q,T/e, and with probability «’ > 1/9, a replay of this machine out- 
puts two valid signatures (m,o1,h,o2) and (m,oi,h',o4) such that h 4h’. 





Proof. We are given an adversary A, which is a probabilistic polynomial time 
Turing machine with random tape w. During the attack, this machine asks a 
polynomial number of questions to the random oracle 7. We may assume that 
these questions are distinct: for instance, A can store questions and answers in a 
table. Let Q1,...,Q,, be the gp, distinct questions and let p = (p1,..., Pq,) be the 
list of the q;, answers of H. It is clear that a random choice of 1 exactly corresponds 
to a random choice of p. Then, for a random choice of (w, H), with probability ¢, A 
outputs a valid signature (m,o1,h, 02). Since H is arandom oracle, it is easy to see 
that the probability for h to be equal to H(m, a1) is less than 1/2", unless it has 
been asked during the attack. So, it is likely that the question (m, 01) is actually 
asked during a successful attack. Accordingly, we define Indj,(w) to be the index 
of this question: (m,o1) = Qindy(w) (we let Indy(w) = oo if the question is never 
asked). We then define the sets 


{(w, H) | A%(w) succeeds & Indy(w) # co}, 
{(w, H) | A%(w) succeeds & Indy(w) =i} for ie {1,...,qn}. 


S 
and S; 


We thus call S the set of the successful pairs (w,#). One should note that the 
set {S; |i € {1,...,q,}} is a partition of S. With those definitions, we find a lower 
bound for the probability of success, v = Pr[S] > «— 1/2". Since we did the as- 
sumption that ¢ > 7q,/2* > 7/2*, then v > 6/7. Let I be the set consisting of 
the most likely indices 2, 


I= {i| Pr[S; |S] > 1/2qn}. 


The following lemma claims that, in case of success, the index lies in I with prob- 
ability at least 1/2. 
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Lemma 2. 
Pr[Indy(w) € I|S] > 


NlR 


Proof. By definition of the sets S;, Pr[JIndy(w) € |S] = >0,-, Pr[S; |S]. This 
probability is equal to 1 — }7,¢; Pr[S;|S]. Since the complement of J contains 
fewer than q;, elements, this probability is at least 1 — gy, x 1/2q, > 1/2. 














We now run the attacker 2/e times with random w and random H. Since 
v = Pr|S] > 6e/7, with probability greater than 1 — (1 — 6¢/7)?/*, we get at least 
one pair (w,#) in S. It is easily seen that this probability is lower bounded by 
L—e 17/7 > 4/5. 

We now apply the Splitting-lemma (Lemma 1, with ¢ = v/2q, and a = €/2) 
for each integer i € I: we denote by Hy); the restriction of H to queries of index 
strictly less than i. Since Pr[S,] > v/2qn, there exists a subset 0; of executions 
such that, 

Vy 


4qn 


IV 





for any (w,H) € O%, Pri(w, 1’) € 8, |H), = Ay 


IV 


1 
5° 
Since all the subsets S; are disjoint, 

Pr [(3% E I) (w,H) ED,NS8; | S] 


tel ier 


al 
= > Pr[0;|Si] - Pr[S; |S] > (SPss.18)) 2 a 


el tel 





We let denote the index Indy(w) corresponding to the successful pair. 
With probability at least 1/4, 6 € I and (w,H) € Sg MQg. Consequently, with 
probability greater than 4/5x 1/5 = 1/5, the 2/e attacks have provided a successful 
pair (w,H), with 6 = Indy,(w) € I and (w,H) € Sg. Furthermore, if we replay the 
attack, with fixed w but randomly chosen oracle H’ such that Hy 3 = Hyg, we know 
that Pry [(w, H’) € Se |i, = Hig] = v/4qn. Then 


Pri(w, H’) € Sp and pp # pg | Hig = Mya] 
> ! Psat _ — sS = k 
2 Prl(w, H’) € Sa | Mig = Aya] — Prlog = pp] 2 v/4an — 1/2", 


where pg = H(Q,) and pz = H’(Qg). Using again the assumption that ¢ > 7qn/2*, 
the above probability is lower-bounded by ¢/14q,. We thus replay the attack 
14q;,/e times with a new random oracle H’ such that Hig = Hyg, and get another 
success with probability greater than 1 — (1 — ¢/14q,)4%/* > 1—e7! > 3/5. 
Finally, after less than 2/e + 14q;,/e repetitions of the attack, with probability 
greater than 1/5 x 3/5 > 1/9, we have obtained two signatures (m, 01, h,o2) and 
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(m’',o},h',o5), both valid w.r.t. their specific random oracle H or H’, and with 
the particular relations 


Qe = (m,o1) = (m',o4) and h = H(Qzg) # H'(Qz) =h’. 


One may have noticed that the mechanics of our reduction depend on some 
parameters related to the attacker A, namely, its probability of success ¢ and the 
number q, of queries to the random oracle. This induces a lack of uniformity. A 
uniform version, in expected polynomial time is also possible. 


Theorem 2 (The Forking Lemma — The Uniform Case). Let (K,S,V) be 
a digital signature scheme with security parameter k, with a signature as 
above, of the form (m,o1,h,02), where h = H(m,o1) and og depends on 
a, and h only. Let A be a probabilistic polynomial time Turing machine 
whose input only consists of public data and which can ask qn queries to the 














random oracle, with qy > 0. We assume that, within the time bound T, A 
produces, with probability « > 7qy/2*, a valid signature (m,o1,h,02). Then 
there is another machine which has control over A and produces two valid 
signatures (m,o1,h,02) and (m,o1,h’,o4) such that h # h’, in expected 
time T’ < 84480T q;,/e. 





Proof. Now, we try to design a machine M which succeeds in expected polynomial 
time: 
1. M initializes 7 = 0; 
2. M runs A until it outputs a successful pair (w,) € S and denotes by Nj; 
the number of calls to A to obtain this success, and by ( the index Indy(w); 
3. M replays, at most 140N;a/ times, A with fixed w and random H’ such that 
Hig = H jg, where a = 8/7; 
4. M increments 7 and returns to 2, until it gets a successful forking. 
For any execution of M, we denote by J the last value of 7 and by N the to- 
tal number of calls to A. We want to compute the expectation of N. Since 
v =Pr{[S], and N; > 1, then Pr[N,; > 1/5v] > 3/4. We define ¢ = [log, qn], so 
that, 140Nja! > 28q,/e for any 7 > ¢, whenever N; > 1/5v. Therefore, for 
any j > €, when we have a first success in S, with probability greater than 1/4, 
the index 8 = Ind>,(w) is in the set I and (w,H) € SgNQg. Furthermore, with 
probability greater than 3/4, N; > 1/5v. Therefore, with the same conditions as 
before, that is e > 7q,/2", the probability of getting a successful fork after at most 
28q)/é iterations at step 3 is greater than 6/7. 
For any t > @, the probability for J to be greater or equal to ¢ is less than 
(1-1/4 x 3/4 x 6/7)**, which is less than y'~*, with y = 6/7. Furthermore, 





Jat 
; 141 ; 
EIN|J =i) < S (E[Nj] + 140E[Nj]a’) < os al < — x 
j=0 


So, the expectation of N is E[N] = 5°, E[N | J =t]- Pr[J = t] and then it can be 
shown to be less than 84480q;,/e. Hence the theorem. 
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Chosen-Message Attacks. However, this just covers the no-message attacks, with- 
out any oracle access. Since we can simulate any zero-knowledge protocol, even 
without having to restart the simulation because of the honest verifier (i.e. the 
challenge is randomly chosen by the random oracle #) one can easily simulate the 
signer without the private key: 


e one first chooses random h, s € Zq; 

e one computes r= s-g+h-y and defines H(m,r) to be equal to h, which is 
a uniformly distributed value; 

e one can output (r,h,s) as a valid signature of the message m. 


This furthermore simulates the oracle H, by defining H(m,r) to be equal to h. 
This simulation is almost perfect since 1 is supposed to output a random value 
to any new query, and h is indeed a random value. Nevertheless, if the query 
H(m,r) has already been asked, H(m,r) is already defined, and thus the definition 
H(m,r) <— h is impossible. But such a situation is very rare, which allows us to 
claim the following result, which stands for the Schnorr signature scheme but 
also for any signature derived from a three-round honest verifier zero-knowledge 
interactive proof of knowledge: 


Theorem 3. Let A be a probabilistic polynomial time Turing machine whose 
input only consists of public data. We denote respectively by qr, and qs 
the number of queries that A can ask to the random oracle and the num- 
ber of queries that A can ask to the signer. Assume that, within a time 
bound T, A produces, with probability ¢ > 10(qs +1)(qs + qn)/2", a valid 


signature (m,o1,h,02). If the triples (o1,h,02) can be simulated without 
knowing the secret key, with an indistinguishable distribution probability, 
then, a replay of the attacker A, where interactions with the signer are 
simulated, outputs two valid signatures (m,o1,h,o2) and (m,oi,h',o4) such 
that h £h', within time T’ < 23q,T/e and with probability c’ > 1/9. 





A uniform version of this theorem can also be found in [68]. From a more 
practical point of view, these results state that if an adversary manages to perform 
an existential forgery under an adaptive chosen-message attack within an expected 
time T’,, after gp, queries to the random oracle and q, queries to the signing oracle, 
then the discrete logarithm problem can be solved within an expected time less 
than Cq,T, for some constant C’. This result has been more recently extended to 
the transformation of any identification scheme secure against passive adversaries 
into a signature scheme [8]. 

Brickell, Vaudenay, Yung and the author also extended the forking lemma 
technique [69, 17] to many variants of El Gamal [27] and DSA [55], such as the 
Korean Standard KCDSA [43]. However, the original El Gamal and DSA schemes 
were not covered by this study, and are certainly not provably secure, even if no 
attack has ever been found against DSA. 
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5.3. RSA-Based Signatures 


Unfortunately, with the above signatures based on the discrete logarithm, as any 
construction using the Fiat-Shamir paradigm, we do not really achieve our goal, 
because the reduction is costly, since g, can be huge, as much as 2°° in practice. 
This security proof is meaningful for very large groups only. 


5.3.1. FDH-RSA: The Full-Domain Hash Signature. In 1996, Bellare and Rog- 
away [12] proposed other candidates, based on the RSA assumption. The first 
scheme is the by-now classical hash-and-decrypt paradigm (a.k.a. the Full-Domain 
Hash paradigm): as for the basic RSA signature, the generation algorithm pro- 
duces a large composite number N = pq, a public key e, and a private key d 
such that e-d=1mod y(N). In order to sign a message m, one first hashes it 
using a full-domain hash function H : {0,1}* — Z%,, and computes the e-th root, 
o =H(m)¢ mod N. The verification algorithm simply checks whether the follow- 
ing equality holds, H(m) = o° mod N. 

More generally, the Full-Domain Hash signature can be defined as follows, 
for any trapdoor one-way permutation f: 


K: Key Generation — (f, f—*) 


public key ff :X —> X, a trapdoor one-way permutation onto X 
private key f7! 
mae f~*) 


= Hes ) and o = f~'*(r) 


— o is the signature of m 


V: Verification of (m,c) 
check whether f 
— Yes/No 


FiIGuRE 5. The FDH Signature. 





5.3.2. Security Analysis. For this scheme, Bellare and Rogaway proved, in the 
random-oracle model: 


Theorem 4. Let A be an adversary which can produce, with success probability 
€, an existential forgery under a chosen-message attack within a time t, after 
dn and qs queries to the hash function and the signing oracle respectively. 
Then the permutation f can be inverted with probability «' within time t’ 


where 
; € 


~ Gs t+ qn t+1 
with T, the time for an evaluation of f. 


and t<t+(qst+an)Ty, 
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Let us present this proof, using the new formalism introduced by Victor Shoup 
in [81, 82, 83], and which will be extensively used in these notes. In this technique, 
we define a sequence G,, Go, etc., of modified attack games starting from the 
actual game Go. Each of the games operates on the same underlying probability 
space: the public and private keys of the cryptographic scheme, the coin tosses of 
the adversary A and the random oracles. Only the rules defining how the view 
is computed differ from game to game. To go from one game to another with a 
slightly different distribution probability, we repeatedly use the following lemma: 
Lemma 3. Let E,, Eo and Fy, Fo be events defined on a probability space 
Pr{E; | Fy] = Pr[Es | Fo] and Pr[F;] = Pr[F9| =e > |Pr[E,] _ Pr[E]| SS é. 
Proof. The proof follows from easy computations: 
|Pr{E,] = Pr[E]| => |Pr[Ey | Fy] . Pr{F;] + Pr{E; | —F;] : Pr[-F;] 
— Pr[E2 | Fo] : Pr[F2] = Pr[E2 | Fo] Z Pr[=F5]| 
= |(Pr[Ey | Fi] = Pr[Es | F]) & 
+ (Pr[Ex | Fi] — Pr[E2|-F2]) - (1 — )| 
= |(Pr[Ey | Fi] — Pr[E2 | Fo]) - €| <I. 














Actually, this lemma will not be used in the proofs of the FDH signatures, 
because all the simulated distributions will remain perfect. 
Basic Proof of the FDH Signature. In this proof, we incrementally define a se- 
quence of games starting at the real game Go and ending up at Gs. We make 
a very detailed sequence of games in this proof, since this is the first one. Some 
steps will be skipped in the other proofs. The goal of this proof is to reduce the 
inversion of the permutation f on an element y (find x such that y = f()) to an 
attack. We are thus given such a random challenge y. 


Game Go: This is the real attack game, in the random-oracle model, which 
includes the verification step. This means that the attack game consists in giving 
the public key to the adversary, and a full access to the signing oracle. When it 
outputs its forgery, one furthermore checks whether it is actually valid or not. Note 
that if the adversary asks q, queries to the signing oracle and qp, queries to the hash 
oracle, at most qs + gq, + 1 queries are asked to the hash oracle during this game, 
since each signing query may make such a new query, and the last verification step 
too. We are interested in the following event: So which occurs if the verification 
step succeeds (and the signature is new). 


Succé}i(A) = Pr[So]. (1) 


Game G,: In this game, we simulate the oracles, the hash oracle H and the 
signing oracle S, and the last verification step, as shown on Figure 6. From this 
simulation, we easily see that the game is perfectly indistinguishable from the real 
attack. 

Pr[Si] = Pr[So]. (2) 
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For a hash-query (gq), such that a record (q,*,17) appears in H-List, 
the answer is r. Otherwise the answer r is defined according to the 
following rule: 


> Rule 1H) 
Choose a random element r € X. The record 


(q,-L,1r) is added to H-List. 
Note: the second component of the elements of this list will be ex- 
plained later. 


For a sign-query S(m), one first asks for r = H(m) to the H-oracle, 
and then the signature o is defined according to the following rule: 
>Rule S“) 
| Computes o = f~!(r). 


The game ends with the verification of the output (m,o) from the 
adversary. One first asks for r = H(m), and checks whether r = f(c). 





FIGURE 6. Simulation of the Attack Game against FDH 


Game G2: Since the verification process is included in the attack game, the 
output message is necessarily asked to the hash oracle. Let us guess the index c of 
this (first) query. If the guess failed, we abort the game. Therefore, only a correct 
guess (event GoodGuess) may lead to a success. 


Pr[S2}_ = Pr[S; A GoodGuess] = Pr[S; | GoodGuess] x Pr[GoodGuess] 
1 


> Pr{S,;| x —————_. 
; or dnt+qds+1 


(3) 


Game G3: We can now simulate the hash oracle, incorporating the challenge y, 
for which we want to extract the pre-image x by f: 
> Rule 1°) 

If this is the cth query, set r — y; otherwise, choose a 
random element r € X. The record (gq, 1,7) is added to 
H-List. 

Because of the random choice for the challenge y, this rule lets the game indistin- 

guishable from the previous one. 


Pr[S3] = Pr[So). (4) 


Game Gy: We now modify the simulation of the hash oracle for other queries, 
which may be used in signing queries: 
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>Rule 1 
If this is the c th query, set r — y and s ~— 1; otherwise, 


choose a random element s € X, and compute r = f(s). 

The record (q, 8,17) is added to H-List. 
Because of the permutation property of f, and the random choice for s, this rule 
lets the game indistinguishable from the previous one. 


Pr[S4] = Pr[Ss]. (5) 


Game G;: By now, excepted for the c-th hash query, which will be involved in 
the forgery (and thus not asked to the signing oracle), the pre-image is known. 
One can thus simulate the signing oracle without quering f~!: 
>Rule S() 
| Lookup for (m,s,7) in H-List, and set o = s. 

Since the message corresponding to the c-th query cannot be asked to the signing 
oracle, otherwise it would not be a valid forgery, this rule lets the game indistin- 
guishable from the previous one. 


Pr[Ss] = Pr[Sy]. (6) 
Note that now, the simulation can easily be performed, without any specific com- 


putational power or oracle access. Just a few more evaluations of f are done to 
simulate the hash oracle, and the forgery leads to the pre-image of y: 


Pr[Ss5] = Succ#"(t + (dn + Gs)T¥). (7) 
As a consequence, using equations (1), (2), (3), (4), (5), (6) and (7) 
Succ#"(¢+ (qn +4s)T7) = Pr[Ss] = Pr[S3] = Pr[S4] = Pr[So] 
1 
———— x Pr|S,] > —————— x PS]. 
Gael | get 


And thus, 











Succfif (A) < (qn + as +1) x Succ#"(t + (dn + s)Tf). 
Improved Security Result. This reduction has been thereafter improved [22], 
thanks to the random self-reducibility of the RSA function. The following result 
applies as soon as the one-way permutation has some homomorphic property on 
the group X: 





f(z @y) = f(x) ® fly). 
Theorem 5. Let A be an adversary which can produce, with success probability 
€, an existential forgery under a chosen-message attack within a time t, after 
dn and qs queries to the hash function and the signing oracle respectively. 
Then the permutation f can be inverted with probability «' within time t’ 
where 


s 


E 
e' >— xexp(—2) and t)<t+(qst+aqn)Ty, 
qd 


with T, the time for an evaluation of f. 
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This proof can be performed as the previous one, and thus starts at the real 
game Go, then we can use the same simulation as in the game G,. The sole formal 
difference in the simulation will be the H-List which elements have one more field, 
and are thus initially of the form (qg,_L,1,7r). Things differ much after that, using 
a real value p between 0 and 1, which will be made precise later. The idea here, 
is to make any forgery useful for inverting the permutation f, not only a specific 
(guessed) one. On the other hand, one must still be able to simulate the signing 
oracle. The probability p will separate the two situations: 


Game Gy: A random coin decides whether we introduce the challenge y in the 
hash answer, or an element with a known pre-image: 

>Rule H() 
One chooses a random s € X. With probability p, one sets 
r—y® f(s) and t <— 1; otherwise, r — f(s) and t — 0. 
The record (q,t, 8,7) is added to H-List. 
Because of the homomorphic property on the group X of the permutation f, 
this rule lets the game indistinguishable from the previous one. Note again that 
elements in H-List contain one more field t than in the previous proof. One may 
see that r= y’ ® f(s). 





Game G3: _ For a proportion 1 — p of the signature queries, one can simulate the 
signing oracle without having to invert the permutation /: 
>Rule S®) 
Lookup for (m,t, s,17) in H-List, if t = 1 then halt the game, 
otherwise set o = s. 
This rule lets the game indistinguishable, unless one signing query fails (t = 1), 
which happens with probability p, for each signature: 


Pr[S3] = (1 — p)* x Pr[Sg]. (8) 


Note that now, the simulation can easily be performed, without any specific com- 
putational power or oracle access. Just a few more exponentiations are done to 
simulate the hash oracle, and the forgery (m,ca) leads to the pre-image of y, if 
(t = 1). The latter case holds with probability p. Indeed, (m,t,s,r) can be found 
in the H-List, and then r = y' @ f(s) = y ® f(s) = f(c), which easily leads to the 
pre-image of y by /f: 


Succ#"(t + (gn + qs)T?) = p x Pr[S3]. (9) 
Using equations (1), (2), (8) and (9) 
Succ#"(t +(qn+4s)T7) = px Pr[Ss] =p x (1—p)® x Pr[S9] 


= px (l1—p)® x Pr[Si] = px (1— p)® x Pr[Sol. 


And thus, 
1 
Succes! (A) < ———— x Suce™(t Tr). 
fan(A) < pl — pe ucc#" (t + (qn + qs) Tf) 
Therefore, the success probability of our inversion algorithm is p(1 — p)%«, 
if € is the success probability of the adversary. If q, > 0, the latter expression 
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is optimal for p = 1/(q,; + 1). And for this parameter, and a huge value q,, the 
success probability is approximately ¢/eq,. It is anyway larger than ¢/e?q, (where 
e = exp(1) ¥ 2.17...). 

As far as time complexity is concerned, each random oracle simulation (which 
can be launched by a signing simulation) requires a modular exponentiation to the 
power e, hence the result. 

This is a great improvement since the success probability does not depend 
anymore on qy;. Furthermore, q, can be limited by the user, whereas q;, cannot. In 
practice, one only assumes q;, < 2°, but g, can be limited below 2°°. 














5.3.3. The Probabilistic Signature Scheme. However, one would like to get more, 
suppressing any coefficient. In their paper [12], Bellare and Rogaway proposed 
such a better candidate, the Probabilistic Signature Scheme (PSS, see Figure 7): 
the key generation is still the same, but the signature process involves three hash 




































































FIGURE 7. Probabilistic Signature Scheme 


functions 
F : {0,1}*2 — {0,1}*, G: {0,1} — {0,1}", 
H : {0,1}* > {0,1} *, 

where k = ko + ki + ko +1 satisfies {0,1}*-1 C X Cc {0,1}*. We remind that f is 
a trapdoor one-way permutation onto X, with an homomorphic relationship. For 
each message m to be signed, one chooses a random string r € {0,1}*!. One first 
computes w = H(m,r), s = G(w) @r and t = F(w). Then one concatenates y = 
O||w||s||t, where a||b denotes the concatenation of the bit strings a and b. Finally, 
one computes the pre-image by f, 7 = f~'(y). The verification algorithm first 
computes y = f(c), and parses it as y = b||w]|s||t. Then, one can get r = s@G(w), 
and checks whether b = 0, w = H(m,r) and t = F(w). 

About this PSS construction, Bellare and Rogaway proved the security in the 
random-oracle model. 
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Theorem 6. Let A be a CMA-adversary against f-PSS which produces an 
existential forgery within a time t, after qf, dg, In and qs queries to the hash 
functions F, G and H and the signing oracle respectively. Then its success 
probability is upper-bounded by 


es 


Ow 1 a 
Succ (é+ (ds + an )ka- Ts) + 55 + (as + an): (+ cs Dk 





with T, the time for an evaluation of f. 


Proof. First, we assume the existence of an adversary A that produces an exis- 
tential forgery with probability ¢ within time t, after qr, qg and qn queries to the 
random oracles F, G and H and gq, queries to the signing oracle. 


Game Gy: ‘This is the real-world attack game. In any game G,,, we denote by 
Sn the event V(pk,m,a) = 1, for a new signature o. 


Game G,: In this game, we make the classical simulation of the random oracles, 
with random answers for any new query, as shown on Figure 8. This game is clearly 
identical to the previous one. The # simulation may seem a bit intricate, but the 
bit c is never used. It will appear later. 


Game G2: In this game, we introduce the random challenge y*, for which one 
is looking for x* such that y* = f(a*). Thus, we replace the random oracle H by 
the following simulation, which may abort: 
> Rule H-New”) 
Choose a random u € X, then if c = 0, compute z = 
y* ® f(u), otherwise compute z = f(u), until the most 
significant bit of z is 0, but at most ka times (otherwise one 
aborts the game). Choose a random element w € {0,1}*?. 
The record (m,r,c, L, w) is added in H-List. 
Let us remark that the number of calls to H is upper-bounded by gp, + gs (direct 
queries and queries asked by the signing oracle.) This game may only differ from 
the previous one during some 7-simulations, if the simulation aborts because z is 
still in the bad range, even after the kz attempts (event BadRange,). Using the 
Lemma 3, noting that 


dh a ds 
Qh’ 





Pr[S2 | >BadRange,| = Pr[S; | -BadRange,] and Pr[BadRange,] < 


one gets 


|Pr[S2] — Pr[S1]| < 





(10) 


Game Gs: In the above game, one may have noted that z is uniformly distributed 
in X, because of the permutation property of f, with the conditioning that the 
most significant bit is 0. One can thus parse it into 0||w||s||¢, where w is uniformly 
distributed in {0, 1}*: 
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Query F(w): if a record (w,t) appears in F-List, the answer is ¢. 
Otherwise the answer ¢ is chosen randomly: t € {0,1}*° and the record 
w,t) is added in F-List. 
: if a record (w,g) appears in G-List, the answer is g. 
Otherwise the answer g is chosen randomly: g € {0,1}*! and the 
record (w,g) is added in G-List. 
Query 7H(m,r): one first sets c = 0 if the query is asked by the signing 
oracle, and c = 1 otherwise (by the adversary directly). If a record 
(m,r,*, L,w) appears in H-List: 
> Rule H-Old\) 
| The answer is w. 
Otherwise the answer w is defined according to the following rule: 
> Rule 1-New"!) 
Choose a random element w € {0,1}*?. The record 
(m,r,c,-L,w) is added in H-List. 
Note: the fourth component of the elements of this list will be ex- 
plained later. 


F,gG and H oracles 


For a sign-query S(m), one first chooses a random r € {0,1}*! and 
asks for w = H(m,r), s = G(w) ®r and t = F(w). Then one con- 
catenates y = 0||w||s||t and computes the signature o according to the 
following rule: 
>Rule S“) 
| Computes o = f~1(y). 





FIGURE 8. Simulation of the Attack Game against PSS 


> Rule H-New'?) 
Choose a random u € X, then if c = 0, compute z = 


y* ® f(u), otherwise compute z = f(u), until the most 
significant bit of z is 0, but at most ke times (otherwise one 
aborts the game). Thereafter, z is parsed into 0||w||s||t, The 
record (m,r,c,u, w) is added in H-List. 


This simulation is thus perfectly indistinguishable, since the additional field u in 


the H-List is never used. But note that z = y** @ f(u). 


Game G,: Now, we furthermore anticipate some F or G answers, with random 
numbers, which is the case of the above s and ft: 
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> Rule H-New 
Choose a random u € X, then if c = 0, compute z = 


y* ® f(u), otherwise compute z = f(u), until the most 
significant bit of z is 0, but at most ke times (otherwise one 
aborts the game). Thereafter, z is parsed into O||w||s||t, and 
one adds the record (w,t) to the F-List and (w, s@r) to the 
G-List. The record (m,r,c, u, w) is added in H-List. 
This game may only differ from the previous one if during some H-simulations, 
F(w) or G(w) have already been defined (either by a direct query, or by a H- 
simulation.) 
(dn + 4s)(Q¢ + Gq + Gn + 4s) 


|Pr(S4] — Pr[Ss]| < se 


(11) 
Game G;: Now, we simply abort if the signing oracle makes a H(m,1r)-query 
for some (m,r) that has already been asked to H. 
> Rule H-Old) 
If c= 0, then one aborts the game, otherwise the answer is 
w. 
Because of the possible abortion 


|Pr[Ss] — Pr[S4]| < ds(an + ds)/2"". (12) 


Game Gz: In the last game, we replace the signing oracle by an easy simulation, 
returning the value u involved in the answer H(m,1r), which defines z = f(w): 
> Rule S(© 
| Look up for (m,r,c, u, w) in H-List, and set o = u. 
The simulation is perfect since c = 0. 

The event Sg means that, at the end of that game, the adversary outputs a 
valid message/signature (m,a). The latter satisfies: y = f(a) = b||w||s||¢. Then 
one gets r = s®G(w), and checks whether b = 0, w = H(m,r) and t = f(w). Such 
a signature is valid 

e without having queried H(m,r), which is possible with probability bounded 

by 2—*; 

e with y = y* ® f(u), where (m,7r,1,u, w) € H-List, and thus one gets x”. 


Pr[S¢] < Succ#"(t’, k) +27", (13) 
where ¢’ is the running time of the adversary, including the time for the simulations: 
t<t+ (gst qn): ko- Ts. 














The important point in this security result is the very tight link between success 
probabilities, but also the almost linear time of the reduction. Thanks to this 
exact and efficient security result, RSA—PSS has become the new PKCS #1 v2.1 
standard for signature [74]. Another variant has been proposed with message- 
recovery: PSS-R which allows one to include a large part of the message inside the 
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signature. This makes a signed-message shorter than the size of the signature plus 
the size of the message, since the latter is inside the former one. 


6. Public-Key Encryption 


6.1. History 


6.1.1. The RSA Encryption Scheme. In the same paper [73] as the RSA signature 
scheme appeared, Rivest, Shamir and Adleman also proposed a public-key encryp- 
tion scheme, thanks to the “trapdoor one-way permutation” property of the RSA 
function: the generation algorithm produces a large composite number N = pq, a 
public key e, and a private key d such that e-d = 1 mod y(N). The encryption of 
a message m, encoded as an element in Z%,, is simply c = m° mod N. This cipher- 
text can be easily decrypted thanks to the knowledge of d, m = c? mod N. Clearly, 
this encryption is OW-CPA, relative to the RSA problem. The determinism makes 
a plaintext-checking oracle useless. Indeed, the encryption of a message m, under a 
public key pk is always the same, and thus it is easy to check whether a ciphertext 
c really encrypts m, by re-encrypting it. Therefore the RSA-encryption scheme is 
OW-PCA relative to the RSA problem as well. 

Because of this determinism, it cannot be semantically secure: given the en- 
cryption c of either mo or m1, the adversary simply computes c! = m§ mod N and 
checks whether c’ = c. Furthermore, with a small exponent e (e.g. e = 3), any secu- 
rity vanishes under a multi-user attack: given c, = m® mod N1, co = m? mod No 
and cz = m? mod Nz, one can easily compute m® mod N;N2N3 thanks to the 
Chinese Remainders Theorem, which is exactly m3 in Z and therefore leads to an 
easy recovery of m. 


6.1.2. The El Gamal Encryption Scheme. In 1985, El Gamal [27] also designed 
a public-key encryption scheme based on the Diffie-Hellman key exchange proto- 
col [25]: given a cyclic group G of order prime g and a generator g, the genera- 
tion algorithm produces a random element x € Zj as private key, and a public 
key y = x-g. The encryption of a message m, encoded as an element m in G, isa 
pair (c =a-g,d=a-y+m), for arandom a € Z,. This ciphertext can be easily 
decrypted thanks to the knowledge of x, since 


a-y=anr-g=2-C, 


and thus m = d—«-c. This encryption scheme is well-known to be OW-CPA rel- 
ative to the Computational Diffie-Hellman problem. It is also semantically secure 
(against chosen-plaintext attacks) relative to the Decisional Diffie-Hellman prob- 
lem [85]. For OW-PCA, it relies on the Gap Diffie-Hellman problem [60]. 

As we have seen above, the expected security level is IND-CCA, whereas 
the RSA encryption just reaches OW-CPA under the RSA assumption, and the 
El Gamal encryption achieves IND-CPA under the DDH assumption. Can we 
achieve IND-CCA for practical encryption schemes? 
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6.2. A First Generic Construction 


In [10], Bellare and Rogaway proposed the first generic construction which applies 
to any trapdoor one-way permutation f onto X. We need two hash functions G 
and H: 


G:X — {0,1}" and ‘H: {0,1}*— {0,1}", 
where n is the bit-length of the plaintexts, and k, a security parameter. Then the 
encryption scheme BR = (K,€,D) can be described as follows: 


e K(1*): specifies an instance of the function f, and of its inverse f~!. The 
public key pk is therefore f and the private key sk is f~t. 
e €.(m;r): given a message m € {0,1}”", and a random value r baz X, the 
encryption algorithm €,, computes 
a= f(r), b=m@G(r) and c=H(m,r), 


and outputs the ciphertext y = allbllc. 
e Ds(a|b||c): thanks to the private key, the decryption algorithm D,, extracts 


r=f-'(a), andnext m=bOG(r). 
If c= H(m,r), the algorithm returns m, otherwise it returns “Reject.” 
About this construction, one can prove: 


Theorem 7. Let A be a CCA-adversary against the semantic security of the 
above encryption scheme BR. Assume that A has advantage ¢ and running 
time 7 and makes qa, dg and qn queries to the decryption oracle, and the 
hash functions G and H, respectively. Then 


Succ$"(7') 


/ 


with ro < 1t+(qg+4n)-Ty, 





where 7’, denotes the time complexity for evaluating f. 


Proof. In the following we use starred letters (r*, a*, b*, c* and y*) to refer to 
the challenge ciphertext, whereas unstarred letters (r, a, b, c and y) refer to the 
ciphertext asked to the decryption oracle. 


Game Go: A pair of keys (pk,sk) is generated using K(1"). Adversary Aj 
is fed with pk, the description of f, and outputs a pair of messages (mo, m1). 
Next a challenge ciphertext is produced by flipping a coin b and producing a 
ciphertext y* = a*||b*||c* of mp. This ciphertext comes from a random r* ax 
and a* = f(r*), b&* = mp @G(r*) and c* = H(m,r*). On input y*, Ae outputs bit 
b’. In both stages, the adversary is given additional access to the decryption oracle 
Dz. The only requirement is that the challenge ciphertext y* cannot be queried 
from the decryption oracle. 
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We denote by So the event b’ = b and use a similar notation S; in any G; 
below. By definition, we have 


Pr(So] = (14) 


Game Gi: In this game, one makes the classical simulation of the random 
oracles, with random answers for any new query, as shown on Figure 9. This game 
is clearly identical to the previous one. 


Query G(r): if a record (r,g) appears in G-List, the answer is g. 
Otherwise the answer g is chosen randomly: g € {0,1}” and the record 
r,g) is added in G-List. 

Query H(m,r): if a record (m,r,h) appears in H-List, the answer is h. 
Otherwise the answer h is chosen randomly: h € {0,1}*1 and the 
record (m,r, h) is added in H-List. 


G, H Oracles 


Query Dsx(al|b||c): one applies the following rules: 
> Rule Decrypt—R) 
| Compute r= f~!(a); 
Then, compute m = 66 G(r), and finally, 


> Rule Decrypt—H 
If c = H(m,r), one returns m, otherwise one re- 


turns “Reject.” 


x 
1S) 
a 
H 
Oo 
Q 


For two messages (mo, m1), flip a coin b and set m* = mp. 
> Rule Chal—Hash") 
Choose randomly r*, then set 
aX = f(r*), 
g* =G(r*), b*¥ = m* © g*, 
co =H(m*,r*). 


Then, output y* = a*||b*||c*. 


Challenger 





FIGURE 9. Formal Simulation of the IND-CCA Game against the 
BR Construction 


Game G2: In this game, one randomly chooses h* = {0,1}*1, and uses it instead 
of H(m*,r*). 
> Rule Chal—Hash’”) 
The value ht & {0,1}*1 has been chosen ahead of time, 
choose randomly r*, then set a* = f(r*), g* =G(r*), b* = 
m* ® g*, and c =hr. 
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The two games Gz and G, are perfectly indistinguishable unless (m*,r*) is asked 
for H, either by the adversary or the decryption oracle. But the latter case is not 
possible, otherwise the decryption query would be the challenge ciphertext. More 
generally, we denote by AskRg the event that r* has been asked to G or to H, by 
the adversary. We have: 


| Pr[So] — Pr[S:}| < Pr[AskRy]. (15) 


Game G3: We start modifying the simulation of the decryption oracle, by 
rejecting any ciphertext (al|b||c) for which the corresponding (m,r) has not been 
queried to H: 
> Rule Decrypt—H®) 

Look up in H-List for (m, 7, c). If such a triple does not exist, 

then output “Reject”, otherwise output m. 
Such a simulation differs from the previous one if the value c has been correctly 
guessed, by chance: 


|Pr[S3] — Pr[S2]|< 34 | PrfAskRs] — Pr[AskRo] | < a (16) 


Game G,: In this game, one randomly chooses r+ & X and gt & {0,1}”, and 
uses r* instead of r*, as well as g* instead of G(r*). 
> Rule Chal—Hash“) 
The three values rt & x, gt & {0,1}" and nt & 
{0,1}*1 have been chosen ahead of time, then set a* = 
fe"). Sn et) ve Sh, 
The two games Gy, and G3 are perfectly indistinguishable unless r* is asked for 
G, either by the adversary or the decryption oracle. The former case has already 
been cancelled in the previous game, in AskR3. The latter case does not make any 
difference since either H(m,7r*) has been queried by the adversary, which falls in 
AskRs, or the ciphertext is rejected in both games. We have: 


Pr[S4] = Pr[S3] Pr[AskR4] = Pr[AskRs]. (17) 


In this game, m* is masked by g*, a random value which never appears anywhere 
else. Thus, the input to Ag follows a distribution that does not depend on b. 
Accordingly: 


Pr(S4] = * (18) 


Game G;: Finally, one randomly chooses at OX , which implicitly defines 
a random rt in X. Actually, at is the given random challenge for which one is 
looking for the pre-image rt. 
> Rule Chal—Hash? 
The three values at & x, gt & {0,1}" and ht e 
{0,1}*: have been chosen/given ahead of time, then set 
at*=at, bX =m*Ogt, c=ht. 
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The two games Gs and Gy are perfectly indistinguishable, thanks to the permu- 
tation property of f. 

Game Gz: In the simulation of the decryption oracle, we may reject even earlier, 
if the corresponding r has not been queried to G: 


> Rule Decrypt—R 
Look up in G-List for (r,g) such that a = f(r). If no r is 


found, then output “Reject”. 
Such a simulation differs from the previous one if the value (m,7) has been queried 
to H, while G(r) is unpredictable, and thus m = G(r) © b is unpredictable too: 


| Pr[AskRg] — Pr[AskRs] | < (19) 


One may now note that the event AskRg leads to the pre-image of at by f in the 
queries asked to G and H, by the adversary. By checking all of them, one gets it: 


Pr[AskRg] < Succ#"(t + (dg + Gn)TP). (20) 














6.3. OAEP: the Optimal Asymmetric Encryption Padding. 


6.3.1. Description. The problem with the above generic construction is the high 
over-head. When one encrypts with a trapdoor one-way permutation onto X, one 
could hope the ciphertext to be an element in X, without anything else. In 1994, 
Bellare and Rogaway proposed such a more compact generic conversion [11], in the 
random-oracle model, the “Optimal Asymmetric Encryption Padding” (OAEP, see 
Figure 10), obtained from a trapdoor one-way permutation f onto {0,1}*, whose 
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FIGURE 10. Optimal Asymmetric Encryption Padding 


inverse is denoted by f~+. We need two hash functions G and H: 
G : {0,1}"° —+-{0,1}*"** and HH: {0,1}*- — {0,1}, 


for some kg. We also need n and k, which satisfy k = n+ ko + ky. Then the 
encryption scheme OAEP = (K,€,D) can be described as follows: 
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e K(1*): specifies an instance of the function f, and of its inverse f~'. The 
public key pk is therefore f and the private key sk is f~t. 

e €(m;7r): given a message m € {0,1}”, and a random value r id {0,1}*o, 
the encryption algorithm €,, computes 


s=(ml|l0")@G(r) and t=r@H(s), 


and outputs the ciphertext c= f(s,t). 
e Ds,(c): thanks to the private key, the decryption algorithm D,, extracts 


(s,t)=f-(c), andnext r=t@H(s) and M=s@G(r). 
If [M]z, = 0", the algorithm returns [M]", otherwise it returns “Reject.” 


In the above description, [M/],, denotes the k, least significant bits of M, while 
[M]" denotes the n most significant bits of M. 


6.3.2. About the Security. Paper [11] includes a proof that, provided f is a one- 
way trapdoor permutation, the resulting OAEP encryption scheme is both se- 
mantically secure and weakly plaintext-aware. This implies the semantic security 
against indifferent chosen-ciphertext attacks, also called security against lunchtime 
attacks (IND-CCA1). Indeed, the Weak Plaintext-Awareness means that the ad- 
versary cannot produce a new valid ciphertext, until it has seen any valid one, 
without knowing (awareness) the plaintext. This is more formally defined by the 
existence of a plaintext-extractor which, on input a ciphertext and the list of the 
query-answers of the random oracles, outputs the corresponding plaintext. This 
plaintext-extractor is thus enough for simulating the decryption oracle, but in the 
first step of the attack only. We briefly comment on the intuition behind (weak) 
plaintext-awareness. When the plaintext-extractor receives a ciphertext c, then: 


e either s has been queried to H and r has been queried to G, in which case 
the extractor finds the cleartext by inspecting the two query lists G-List and 
H-List, 

e or else the decryption of (s,t) remains highly random and there is little chance 
to meet the redundancy 0": the plaintext extractor can safely declare the 
ciphertext invalid. 


The argument collapses when the plaintext-extractor receives additional valid ci- 
phertexts, since this puts additional implicit constraints on G and H. These con- 
straints cannot be seen by inspecting the query lists. Hence the requirement of 
a stronger notion of plaintezt-awareness. In [7|, Bellare, Desai, Rogaway and the 
author defined such a stronger notion which extends the previous awareness of the 
plaintext even after having seen valid ciphertexts. But such a plaintext-awareness 
notion had never been studied for OAEP, while it was still widely admitted. 

Shoup’s Counter-Example. In his papers [82, 83], Shoup showed that it was quite 
unlikely to extend the results of [11] to obtain adaptive chosen-ciphertext security, 
under the sole one-wayness of the permutation. His counter-example made use of 
the ad hoc notion of an XOR-malleable trapdoor one-way permutation: for such 
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permutation fo, one can compute fo(a @ a) from fo(x) and a, with non-negligible 
probability. 
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FIGURE 11. Shoup’s attack. 


Let fo be such an XOR-malleable permutation. Define f by f(s||t) = sl fo(¢). 
Clearly, f is also a trapdoor one-way permutation. However, it leads to a malleable 
encryption scheme as we now show. Start with a challenge ciphertext y = f(s||t) = 
s||u, where s||¢t is the output of the OAEP transformation on the redundant mes- 
sage m||0" and the random string r (see Figure 11), 

s = G(r) © (ml|o*), t=H(s)@r and w= fo(t). 
Since f is the identity on its leftmost part, we know s, and can define A = 6||0", for 
any random string 6, and s’ = s@A. We then set t! = H(s’)@r = t@(H(s)@H(s’)). 
The XOR-malleability of fo allows one to obtain u’ = fo(t’) from u = fo(t) and 
H(s) @ H(s’), with significant probability. Finally, y’ = s’||u’ is a valid ciphertext 
of m’ = m6, built from r’ = r, since: 


t= fo'(u')=t®(H(s)@H(s'))=H(s\)Or, rf =H(s')ot=r 


and 
s' @Gr') =AGsOG(r) =AG (m||0") = (m@ 6)||0". 

Note that the above definitely contradicts adaptive chosen-ciphertext secu- 
rity: asking the decryption of y’ after having received the ciphertext y, an adversary 
obtains m’ and easily recovers the actual cleartext m from m’ and 6. Also note 
that Shoup’s counter-example exactly stems from where the intuition developed 
at the end of the previous section failed: a valid ciphertext y’ was created with- 
out querying the oracle at the corresponding random seed r’, using in place the 
implicit constraint on G coming from the received valid ciphertext y. 

Using methods from relativized complexity theory, Shoup [82, 83] built a non- 
standard model of computation, where there exists an XOR-malleable trapdoor 
one-way permutation. As a consequence, it is very unlikely that one can prove the 
IND-CCA security of the OAEP construction, under the sole one-wayness of the 
underlying permutation. Indeed, all methods of proof currently known still apply 
in relativized models of computation. 
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6.3.3. The Actual Security of OAEP. Shoup [82, 83] furthermore provided a spe- 
cific proof for RSA with public exponent 3. However, there is little hope of ex- 
tending this proof for higher exponents. Hopefully, Fujisaki, Okamoto, Stern and 
the author provided a general security analysis, but under a stronger assump- 
tion about the underlying permutation [32, 33]. Indeed, we prove that the scheme 
is IND-CCA in the random-oracle model [10], relative to the partial-domain one- 
wayness of permutation f. 
Partial-Domain One-Wayness. Let us first introduce this new computational as- 
sumption. Let f be a permutation f : {0,1}* —> {0,1}*, which can also be written 
as 
FLO LO LG TPO OT se foe bho. 

with k = n+ ko + ky. In the original description of OAEP from [11], it is only 
required that f is a trapdoor one-way permutation. However, in the following, we 
consider two additional related problems, namely partial-domain one-wayness and 
set partial-domain one-wayness: 

e Permutation f is (7,¢)-one-way if any adversary A whose running time is 

bounded by 7 has success probability Succ#”(A) upper-bounded by ¢, where 


Succ#"(A) = Pr[A(f(s,t)) = (s,t)}- 


e Permutation f is (7,¢)-partial-domain one-way if any adversary A whose 
running time is bounded by 7 has success probability Suice (A) upper- 


bounded by ¢€, where 
Succh*™ (A) = PrlA(f(s, t)) = 5]. 


e Permutation f is (¢,7, €)-set partial-domain one-way if any adversary A, out- 
putting a set of € elements within time bound 7, has success probability 


s-pd-ow 


Succ f (A) upper-bounded by ¢, where 
SucceP"(A) = Pr[s € A(f(s,t))]. 


We denote by Succ#"(r) (resp. Succh*™ (7) and Stice te, T)) the maximal suc- 
cess probability Succ?"(A) (resp. Succ" (A) and Succ’ *(A)), The maximum 
ranges over all adversaries whose running time is bounded by 7. In the third case, 
there is an obvious additional restriction on this range from the fact that A outputs 


sets with @ elements. It is clear that for any 7 and ¢> 1, 
SuccsP*™ (¢, 7) > Succh*™ (7) > Succ#"(7). 


Note that, by randomly selecting an element in the set returned by an adversary to 
the set partial-domain one-wayness, one breaks partial-domain one-wayness with 


s-pd-ow 


probability Succ; (A)/é. This provides the following inequality 


Succh*™ (r) > Siice (0; T)/e. 
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However, for specific choices of f, more efficient reductions may exist. Also, in 
some cases, all three problems are polynomially equivalent. This is the case for the 
RSA permutation [73], hence the global security result for RSA-OAEP. 


6.3.4. The Proof of Security. In the following we use starred letters (r*, s*, t* and 
y*) to refer to the challenge ciphertext, whereas unstarred letters (r, s, ¢ and y) 
refer to the ciphertext asked to the decryption oracle. 

The Intuition. Referring to our description of the intuition behind the original 
OAEP proof of security, given above, we can carry a more subtle analysis by 
distinguishing the case where s has not been queried from oracle H from the case 
where r has not been queried from G. If s is not queried, then H(s) is random and 
uniformly distributed and r is necessarily defined as t @ H(s). This holds even if s 
matches with the string s* coming from the valid ciphertext y*. There is a minute 
probability that t @ H(s) is queried from G or equals r*. Thus, G(r) is random: 
there is little chance that the redundancy 0" is met and the extractor can safely 
reject. 

We claim that r cannot match with r*, unless s* is queried from H. This is 
because r* = t* © H(s*) equals r = @ H(s) with minute probability. Thus, if r 
is not queried, then G(r) is random and we similarly infer that the extractor can 
safely reject. The argument fails only if s* is queried. 

Thus rejecting when it cannot combine elements of the lists G-List and H-List 

so as to build a pre-image of y, the plaintext-extractor is only wrong with minute 
probability, unless s* has been queried by the adversary. This seems to show that 
OAEP leads to an IND-CCA encryption scheme if it is difficult to invert f “par- 
tially”, which means: given y* = f(s*||¢*), find s*. 
The Strategy. Based on the intuition just described, we can formally prove that 
applying OAEP encoding to a trapdoor permutation which is difficult to par- 
tially invert, leads to an IND-CCA encryption scheme, hence the partial-domain 
one-wayness, which expresses the fact that the above partial inversion problem is 
difficult. 

Chosen-ciphertext security is actually addressed, by turning the intuition 
explained above into a formal argument, involving a restricted variant of plaintext- 
awareness (where the list C of ciphertexts is limited to only one ciphertext, the 
challenge ciphertext y*). 


Theorem 8. Let A be a CCA-adversary against the semantic security of the 
encryption scheme OAEP. Assume that A has advantage ¢ and running time 
7 and makes qa, gg and qn queries to the decryption oracle, and the hash 
functions G and H, respectively. Then 


Ee (a4 + 2)(qa + 24g) x) 


s-pd-ow 


Succ (qn, 7’) 


9 Dko Qk 
with 7 < t+4q9-qn° (Ty + O(1)), 


where JT’, denotes the time complexity for evaluating f. 
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6.3.5. The Plaintext-Extractor. 

Description. In order to prove the security against adaptive chosen-ciphertext at- 
tacks, it is necessary to simulate calls to a decryption oracle. As in the original 
paper [11], we design a plaintext-extractor (which is actually the same). But the 
analysis is more intricate because the success probability of the extractor cannot be 
estimated unconditionally but only relatively to some computational assumption. 
When the plaintext-extractor receives a ciphertext c, then: 


e either s has been queried to H and r has been queried to G, in which case 
the extractor finds the cleartext by inspecting the two query lists G-List and 
H-List. One indeed looks up for (7,G ) € G-List and (6,Hs5) € H-List. For 
such a pair, one defines o = 6, = y ®@Hs, w = Gy © 6, and checks whether 
c= f(c,0). If [uj,, = 0*, then the tailing part is the plaintext. 

e or else the decryption of (s,¢) remains highly random and there is little chance 
to meet the redundancy 0": the plaintext extractor can safely declare the 
ciphertext invalid. 


Comments. One can easily check that the output of the plaintext-extractor is 
uniquely defined, regardless of the ordering of the lists. To see this, observe that 
since f is a permutation, the value of o = s is uniquely defined and so is 6. Keep in 
mind that the G-List and H-List correspond to input-output pairs for the functions 
G and H, and at most one output is related to a given input. This makes H; 
uniquely defined as well. Similarly, 6 = ¢ is uniquely defined, and thus y and G,: 
at most one ys may be selected, which is output depending on whether [],, = 0" 
or not. 

Furthermore, if both r and s have been queried by the adversary, the plain- 
text-extractor perfectly simulates the decryption oracle. 


6.3.6. Proof. In the following, y* is the challenge ciphertext, obtained from the 
encryption oracle. Since we have in mind using the plaintext-extractor instead of 
the decryption oracle, trying to contradict semantic security, we assume that y* is 
a ciphertext of mp and denote by r* its random seed. We have 


r* =H(s*)@t* and G(r*) = s* ® (m||0*). 


In what follows, all unstarred variables refer to the decryption queries. 
We now present a proof with games which sequentially discard all cases for 
which the above plaintext-extractor may fail. 


Game Go: A pair of keys (pk, sk) is generated using K(1*). Adversary A, is fed 
with pk, the description of f, and outputs a pair of messages (mo,m1). Next a 
challenge ciphertext is produced by flipping a coin b and producing a ciphertext 
y* of my. This ciphertext comes from a random r* & {0,1}*o and s* and t* such 
that y* = f(s*,t*), where s* = (mp||0*1) @ G(r*) and t* = r* @ H(s*). On input 
y*, Ag outputs bit 6’. In both stages, the adversary is given additional access to 
the decryption oracle D,,.. The only requirement is that the challenge ciphertext 
cannot be queried from the decryption oracle. 
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We denote by So the event b’ = b and use a similar notation S; in any G; 
below. By definition, we have 


Pr[So] = (21) 


Game G: In this game, one makes the classical simulation of the random 
oracles, with random answers for any new query, as shown on Figure 12. This 
game is clearly identical to the previous one. 


Game Go: In this game, one randomly chooses rt & {0,1}*° and gt tis 
{0,1}*-*o, and uses r+ instead of r*, as well as gt instead of G(r*). 
> Rule Chal—Hash°) 
The two values r+ & {0,1}*, gt & {0,1}*-*o have been 
chosen ahead of time, then set r* =r*, g* =g", 
s*=M*Ogt, h*=H(s*), th =rt @hr. 
The two games Gz and G, are perfectly indistinguishable unless r* is asked for G, 


either by the adversary or by the decryption oracle. We define this event AskGo. 
We have: 


| Pr[S2] — Pr[Si] | < Pr[AskGy]. (22) 


In this game, gt is used in (s,¢) but does not appear in the computation since 
G(r*) is not defined to be equal to gt. Thus, the input to Az follows a distribution 
that does not depend on b. Accordingly: 


Pr[So] = 7 (23) 


Game G3: We start dealing with the decryption oracle, which has remained 
perfect up to this game, but using the ability to invert f. We first make the 
decryption oracle reject all ciphertexts c such that the corresponding r value has 
not been previously queried from G by the adversary. 


> Rule Decrypt—SnoR®) 
| g=G(r), M=l1*. 


This new rule leads to a Reject since the 0" is not verified. This makes a difference 
only if cis a valid ciphertext, while G(r) has not been asked. Since G(r) is uniformly 
distributed, equality [s @ G(r)|;,, = 0*! happens with probability 1/2**. Summing 
up for all decryption queries, we get 


|Pr[AskG3] — Pr[AskGg]| < oe (24) 


Note that we cannot remove the query G(r) from this rule, even if it would not 
change anything in the simulation of the output of this decryption. However, it 
would remove a pair (r,g) from G-List, which could be r* itself, and this would 
have a non-negligible impact on the event AskG3. 
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Query G(r): if a record (r,g) appears in G-List, the answer is g. 
Otherwise the answer g is chosen randomly: g € {0,1}*—*° and the 
record (r,g) is added in G-List. 

: if a record (s,h) appears in H-List, the answer is h. 
Otherwise the answer h is chosen randomly: h € {0,1}*° and the 
record (s,h) is added in H-List. 


G, H Oracles 


Query D,(c):the value M is defined according to the following rules: 


> Rule Decrypt—Init 
Compute (s,t) = f~t(c); 
Look up for (s,h) € H-List: 
e if the record is found, compute r=t@h. 
Look up for (r,g) € G-List: 
— if the record is found 
> Rule Decrypt—SR\ 
h=H(s), r=t@h, 
g=G(r), M=s@g. 
— otherwise 
> Rule Decrypt—SnoR) 
| same as rule Decrypt-SR”). 
e otherwise 
> Rule Decrypt—noS)) 
| same as rule Decrypt-SR. 
If [M],, = 0*1, one returns m = [M]", otherwise one returns “Reject. 


D Oracle 


For two messages (™mo9,™ 1), flip a coin b and set m* = mp, M* = 
m*||O*. 
> Rule Chal—Hash") 
Choose randomly r*, then set 
g* =G(r*), s* = M* 6g", 
h*=H(s*), Bh =r* @h*. 
> Rule Chal—Output\)) 
Compute and output y* = f(s*, ¢*). 


Challenger 





FIGURE 12. Formal Simulation of the IND-CCA Game against 
OAEP 


Game Gy: We now make the decryption oracle reject all ciphertexts c such 
that the corresponding s value has not been previously queried from H by the 


adversary. 
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> Rule Decrypt—noS) 

h=H(s), r=t@h, 

G=Or),- MST: 
This makes a difference only if y is a valid ciphertext, while H(s) has not been 
asked. First, since r = H(s) ®t is uniformly distributed, it has been queried from 
G with probability less than (qg + qa)/2*°. Then, if G(r) has not been queried, 
the redundancy is satisfied with probability less than 1/21. Summing up for all 
decryption queries, we get 

|Pr[AskG,] — Pr[AskGs]| < falda * a) + oe (25) 

Game G;: Here, we can make the first formal modification in the previous game 
since, whatever the h-value is, the message M is 1*, and g and h are never revealed: 


> Rule Decrypt—noS) 
| A= F(s), maT 
This will just postpone the definition of G(r) and also remove one pair (r, g) from 
G-List. The latter removal may have some impact: 

e on the simulation of a later decryption c’, if r’ = r was found in the previous 
game, but that is no longer in the list. A rule Decrypt—SR is thus replaced 
by the rule Decrypt—SnoR, which means that g’ = g was just defined in the 
modified rule, and never revealed (by any means: no information is leaked.) 
Therefore, the probability for M’ to satisfy the redundancy was 2~""; 

e the removed r could be r*, but this is t @ H(s), for s ¢ H-List. Such a case is 
bounded by 27", 


Summing up for all decryption queries, we get 


1 1 
|Pr[AskGs] — Pr[AskGy]| < qa x (a as a) (26) 


Game Gg: We follow in making formal modifications: 
> Rule Decrypt—noS 
| m=1, 
This will postpone the definition of H(s), and also remove the pair (s,h) from 
H-List. The latter removal may have some impact on the simulation of a later 
decryption c’: if s’ = s was found in the previous game, but that is no longer in 
the list: 

e arule Decrypt—SnoR is replaced by the rule Decrypt—noS (which just 
cancels r’ from G-List), which means that h’ = h was just defined in the 
modified rule, and never revealed. The probability for r’ to be equal to r* is 
2K, 

e a rule Decrypt—SR is replaced by the rule Decrypt—noS, which means 
that h’ = h was just defined in the modified rule, and never revealed. The 
probability for r’ = t’ @ h’ to be in G-List was less than g,/2*°, which is an 
upper-bound of this case to appear. 
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In both cases, the decryption is anyway still the same. Summing up for all decryp- 
tion queries, we get 
qa(q + 1) 
2ko 
Furthermore, in the decryption simulation, when both r and s have been 
asked, no new query occurs: 


> Rule Decrypt—SR 
| M=s@qg. 


|Pr[AskGe] — Pr[AskGs]| < (27) 


As a consequence, the new decryption simulation makes no new H-query. 


Game G7: We now define s* independently of anything else, as well as H(s*), 
by randomly choosing st & {0,1}*-*o and ht = {0,1}*°, and using s+ instead 
of s*, as well as ht instead of H(s*). The only change is that s* = st instead of 
M* ® g*, which in some sense defines gt = M* @ s* but we do not need it. The 
game obeys the following rule: 


> Rule Chal—Hash"”) 

The three values r+ {0,1}*°, st = {0,1}*—* and ht = 

{0,1}*° have been chosen ahead of time, then set s* = 

st, f=rt @ht. 
The two games G7 and G¢ are perfectly indistinguishable unless s* is asked for H 
by the adversary, or used by the decryption oracle. The former event is denoted 
AskH7, while the latter makes a difference only if the rule Decrypt—SR was 
used, with an accepted ciphertext, or the rule Decrypt—SnoR™ was used, with 
r = r* (because this rule becomes Decrypt—noS), where no G(r) query is done, 
since it could have been r*, and thus made the event AskG happen.) 

We thus insist here on that the event AskH7 denotes the fact that s* is asked 
for H by the adversary, whereas the event AskG denotes the fact that r* is asks 
for G by the adversary or the decryption oracle/simulation. 

Let us briefly deal with the bad cases: 


e the rule Decrypt—SR was used, with an accepted ciphertext. This means 
that there exists a valid ciphertext c = f(s*||t) that is queried to the decryp- 
tion oracle, with the corresponding r queried to G, where r = t ® H(s*) = 
t@t* Ort, and r* is a random value. 

e the rule Decrypt—SnoR™ was used, with r = r+, where r+ is a random 
value. 


da(Qq + Ga) 4 Ma 


| Pr[AskG7] — Pr[AskGe] | < Pr[AskH7] + TK, a 


(28) 


In this new game, r* = t* @ At is uniformly distributed, and independent of the 
adversary’s view, since ht is never revealed: 


Pr[AskG7] < ae (29) 
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where qg and qq denote the number of queries asked by the adversary to G, or to 
the decryption oracle, respectively. As a consequence, 


3qa . (2da+1)(dg +a) , Gal(dg +3) 
Pr[AskGo] < oh + a ae + = ki 


+ Pr[AskH7] (30) 
Game Gg: Finally, we define s* and ¢* independently of anything else, by 
randomly choosing st & {0,1}*-*o and t+ & {0,1} *0: 
> Rule Chal—Hash®) 
The two values st & {0,1}*-*o and t+ & {0,1} have 
been chosen ahead of time, then set s* = st, t* =t*. 
The two games Gg and G7 are perfectly indistinguishable. 


Game Gy: We now completely manufacture the challenge ciphertext: we ran- 
domly choose y* e {0,1}*, and simply set y* = y+, ignoring the encryption 
algorithm altogether. This implicitly defines s* and t*, because of the permuta- 
tion property of f. Actually, y* is the given random challenge for which one is 
looking for the partial pre-image s*. 
> Rule Chal—Hash"”) 
| Do nothing. 
> Rule Chal—Output) 
The challenge yt Fie {0,1}* has been given ahead of time, 
then set and output y* = y*. 
The distribution of y* remains the same: due to the fact that f is a permutation, 
the previous method defining y* = f(s*||t*), with s* = s* and t* = t* was already 
generating a uniform distribution over the k-bit elements. 





Game Gio: Before concluding, one may remark that the new simulation of the 
decryption oracle is exactly the way the plaintext-extractor previously explained 
would operate, with some extra but unuseful G-queries. Since we do not care 
anymore about the event AskGj9, they can be simplified: 
> Rule Decrypt—SR”) 
| M=s@g. 
> Rule Decrypt—SnoR””) 
| m=, 
> Rule Decrypt—noS”) 
| m=. 
Finally, simply outputting the list of queries to H during this game, one gets 
Pr[AskHi] < SuccsP*™ (qn, 7’). (31) 


To conclude the proof of Theorem 8, one just has to comment on the run- 
ning time 7’. Although the plaintext-extractor is called qq times, there is no qa 
multiplicative factor in the bound for 7’. This comes from a simple bookkeep- 
ing argument. Instead of only storing the lists G-List and H-List, one stores an 
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additional structure consisting of tuples (7,G,,6,7s,y). A tuple is included only 
for (y,G,) € G-List and (6,H 5) € H-List. For such a pair, one defines o = 6, 
0=7OHs5, w= Gy 66, and computes y = f(c,6). If [uJx, = 0*', one stores the 
tuple (y,Gy,5, Hs, y). The cumulative cost of maintaining the additional structure 
is dg: qn: (Ty + O(1)) but, handling it to the plaintext-extractor allows one to 
output the expected decryption of y, by table lookup, in constant time. Of course, 
a time-space tradeoff is possible, giving up the additional table, but raising the 
computing time to qa: q+ dn - (Ty + O(1)). 














6.3.7. Particular Case: RSA-OAEP. Theorem 8 unfortunately requires a very 
strong assumption on the trapdoor permutation: the partial-domain one-wayness. 
Hopefully, in [33], we furthermore proved that for RSA, this is not a stronger 
assumption than the classical RSA assumption: 


Lemma 4. Let A be an algorithm that outputs a q-set containing k — ko of the 
most significant bits of the e-th root of its input (partial-domain RSA, for any 
modulus N, which 2*-! < N < 2” and k > 2ko), within time bound t, with 
probability «. There exists an algorithm that solves the RSA problem (N,e) with 
success probability «', within time bound t' where 


e > eX (e— 22ho—F tS) t! < 2t+¢? x O(k*). 
Combining this lemma with the previous general security result about OAEP, 
one gets 

Theorem 9. Let A be a CCA-adversary against the “semantic security” of 
RSA-OAEP (where the modulus is k-bit long, k > 2k9), with running time 
bounded by t and advantage ¢, making qa, dg and qn queries to the decryption 
oracle, and the hash functions G and H, respectively. Then the RSA problem 
can be solved with probability ¢’ greater than 


2(qa + 2)(ga + 24g) | 3da | _ 32 
pees ko Dk" Dk—2ko 





within time bound t’ < 2t+ gn: (qn + 2qg) X O(k?). 


There is actually a slight inconsistency in piecing together the two above 
results, coming from the fact that RSA is not a permutation over k-bit strings. 
Research papers usually ignore the problem. Of course, standards have to cope 
with it. Observe that one may decide only to encode a message of n —8 bits, where 
n is k — kg — ky as before, as is done in the PKCS #1 standard. The additional 
redundancy leading bit can be treated the same way as the 0"! redundancy, es- 
pecially with respect to decryption. However, this is not enough since G(r) might 
still carry the string (s||t) outside the domain of the RSA encryption function. An 
easy way out is to start with another random seed if this happens. On average, 
256 trials will be enough. 

This security result does not achieve the practical security, because of the 
expensive reduction. In [33], we improved the reduction cost, with a more intricate 
proof. More precisely: 
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Theorem 10. Let A be a CCA-adversary against the “semantic security” of 
RSA-OAEP (where the modulus is k-bit long, k > 2k9), with running time 
bounded by t¢ and advantage ¢, making qa, dg and qn queries to the decryption 
oracle, and the hash functions G and H, respectively. Then the RSA problem 
can be solved with probability <’ greater than 


Bi 28S jAEE +qat+d , 2qa , 32 ) 
Dko D1 Qk—2ko 


within time bound t’ < 2t+ gn: (qn + 2q,) X O(k?). 





Unfortunately, the reduction is still very expensive, and is thus meaningful 
for huge moduli only, more than 4096-bit long. Indeed, the RSA inverter we can 
build, thanks to this reduction, has a complexity at least greater than qn - (qn + 
2qq) x O(k3). As already remarked, the adversary can ask up to 2° queries to the 
hash functions, and thus this overhead in the inversion is at least 2!°'. However, 
current factoring algorithms can factor up to 4096 bit-long integers within this 
number of basic operations (see [47] for complexity estimates of the most efficient 
factoring algorithms). 

Anyway, the formal proof shows that the global design of OAEP is sound, 
and that it is still probably safe to use it in practice (e.g. in PKCS #1 v2.0, while 
being very careful during the implementation [49]). 


6.4. REACT: a Rapid Enhanced-security Asymmetric Cryptosystem Transform 


Unfortunately, there is no hope to use OAEP with any DL-based primitive, because 
of the “permutation” requirement. The OAEP construction indeed requires the 
primitive to be a permutation (trapdoor partial-domain one-way), which is the 
case of the RSA function. However, the only trapdoor problem known in the 
DI-setting is the Diffie-Hellman problem, and it does not provide any bijection. 
Thus, first Fujisaki and Okamoto [30] proposed a generic conversion from any IND- 
CPA scheme into an IND-CCA one, in the random-oracle model. While applying 
this conversion to the above El Gamal encryption (see Section 6.1), one obtains an 
IND-CCA encryption scheme relative to the DDH problem. Later, independently, 
Fujisaki and Okamoto [31] and the author [62] proposed better generic conversions 
since they apply to any OW-CPA scheme to make it into an IND-CCA one, still in 
the random-oracle model. 

This high security level is just at the cost of two more hashings for the new 
encryption algorithm, as well as two more hashings but one re-encryption for the 
new decryption process. 


6.4.1. Description. The re-encryption cost is the main drawback of these conver- 
sions for practical purposes. Therefore, Okamoto and the author tried and suc- 
ceeded in providing a conversion that is both secure and efficient [59]: REACT, 
for “Rapid Enhanced-security Asymmetric Cryptosystem Transform”. It is actu- 
ally quite similar to the BR construction, excepted that it applies to any trapdoor 
one-way function, not permutations only. 
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(pk, sk) — K(1") 

= (pk, sk) 

€': Encryption of m € M’ = {0,1}* — (a,b,c) 
ReéeM andr € R are randomly chosen 
a=€(Rir) b=me@eG(R) c=H(R,m,a,b) 


— (a,b,c) is the ciphertext 

Given a € C, b € {0,1}* and c € {0,1}* 

R= Dsz(a) m=b6G(R) 

if c= H(R,m,a,b) and RE M — mis the plaintext 
(otherwise, “Reject: invalid ciphertext” ) 





FIGURE 13. Rapid Enhanced-security Asymmetric Cryptosystem 
Transform REACT = (K’, €’,D’) 


The latter conversion is indeed very efficient in many senses: 


e the computational overhead is just the cost of two hashings for both encryp- 
tion and decryption 

e if one can break IND-CCA of the resulting scheme with an expected time T, 
one can break OW-PCA of the basic scheme within almost the same amount 
of time, with a low overhead (not as with OAEP). It thus provides a practical 
security result. 


Let us describe this generic conversion REACT [59] on any encryption scheme 
S = (K,€,D) 


E:PKxMxR-C, D:SkKxC—M, 


where PK and SK are the sets of the public and private keys, M is the messages 
space, C is the ciphertexts space and R is the random coins space. One should 
remark that R may be small and even empty, with a deterministic encryption 
scheme, such as RSA. But in many other cases, such as the El Gamal encryption, 
it is as large as M. We also need two hash functions G and H, 


G:M— {0,1}, H:M-x {0,1}’x C x {0,1} — {0,1}, 


where « is the security parameter, while € denotes the size of the messages to 
encrypt. The REACT conversion is depicted on Figure 13. 
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6.4.2. Security Result. About this construction, one can prove: 


Theorem 11. Let A be a CCA-adversary against the semantic security of the 
encryption scheme REACT = (K’,€’,D’). Assume that A has advantage ¢ 
and running time 7 and makes qa, dg and gq, queries to the decryption oracle, 
and the hash functions G and H, respectively. Then 


Se Se (dg at gh) : Thea, 


where Tpca denotes the times required by the PCA oracle to answer any query. 





Proof. In the following we use starred letters (r*, a*, b*, c* and y*) to refer to 
the challenge ciphertext, whereas unstarred letters (r, a, b, c and y) refer to the 
ciphertext asked to the decryption oracle. 


Game Go: A pair of keys (pk, sk) is generated using K(1*). Adversary A, is fed 
with pk, and outputs a pair of messages (mo,7m1). Next a challenge ciphertext is 
produced by flipping a coin b and producing a ciphertext y* = a*||b*||c* of mp. 
This ciphertext comes from random R* & Mand r* @ R and at = Epx(R*, 1”), 
b* = my © G(R*) and c* = H(R*, my, a*, b*). On input y*, Ag outputs bit b’. In 
both stages, the adversary is given additional access to the decryption oracle D{,. 
The only requirement is that the challenge ciphertext cannot be queried from the 
decryption oracle. 

We denote by So the event b’ = b and use a similar notation S; in any G; 
below. By definition, we have 


loeé 
P = —+-, 2 
[So] = 5 +5 (32) 
Game G: In this game, one makes the classical simulation of the random 


oracles, with random answers for any new query, as shown on Figure 14. This 
game is clearly identical to the previous one. 


Game G»: In this game, one randomly chooses ht = {0,1}*, and uses it instead 
of H(R*,m*,a*, b*). 
> Rule Chal—Hash’”) 
The value h+ & {0,1}* has been chosen ahead of time, 
choose randomly R* and 7*, then set 
eH Eeor oy oS Oe), Pam Ogs cea ne, 
The two games Gz and G, are perfectly indistinguishable unless (R*, m*, a*, b*) is 
asked for H, either by the adversary or the decryption oracle. But the latter case 
is not possible, otherwise the decryption query would be the challenge ciphertext 
itself. More generally, we denote by AskRz the event that R* has been asked to G 
or to H, by the adversary. We have: 


| Pr[S2] — Pr[S1]| < Pr[AskRo]. (33) 
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Query G(r): if a record (r,g) appears in G-List, the answer is g. 
Otherwise the answer g is chosen randomly: g € {0,1} and the record 
r,g) is added in G-List. 

Query H(R,m,a, 6): if a record (R,m,a,6,h) appears in H-List, the 
answer is h. 

Otherwise the answer h is chosen randomly: h € {0,1}* and the record 
(R,m, a,b, h) is added in H-List. 


G, H Oracles 


Query D{,(a||b||c): one applies the following rules: 


>Rule Decrypt—R”) 
| Compute R = D(a); 


Then, compute m = b® G(R), and finally, 


> Rule Decrypt—H 
If c= H(R,m, a,b), one returns m, otherwise one 


returns “Reject.” 


For two messages (m9,7™1), flip a coin b and set m* = mp. 
> Rule Chal—Hash') 
Choose randomly R* and r*, then set 
a* = Ey. (R*,1*), 
g* = G(R), b* = m* @ q*, 
ct = H(R*,m*,a*, b*). 
Then, output y* = a*|[b*||c*. 


Challenger 





FIGuRE 14. Formal Simulation of the IND-CCA Game against 
REACT 


Game G3: We start modifying the simulation of the decryption oracle, by 
rejecting any ciphertext (a||b||c) for which the corresponding (R,m, a,b) has not 
been queried to H: 
> Rule Decrypt—H®) 

Look up in H-List for (R,m, a, b,c). If such a triple does not 

exist, then output “Reject”, otherwise output m. 
Such a simulation differs from the previous one if the value c has been correctly 
guessed, by chance: 


| Pr[S3] — Pr[S2] | < < | Pr[AskR3] — Pr[AskRg] | < ae (34) 


Game G4: In this game, one randomly chooses Rt & M and r+ & R, and 
gt pa {0,1}, and uses Rt instead of R*, r+ instead of r*, as well as g+ instead 
of G(R*). 
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> Rule Chal—Hash") 
The four values Rt & M, rt e R, gt pis {0,1}* and 
pe {0,1}* have been chosen ahead of time, then set 
oS oh ey Pane eg os. 
The two games Gy, and G3 are perfectly indistinguishable unless R* is asked for 
G, either by the adversary or the decryption oracle. The former case has already 
been cancelled in the previous game in AskR3. The latter case makes no difference 
since either H(R*,m, a,b) has been queried by the adversary, which falls in AskRs, 
or the ciphertext is rejected in both games. We have: 


Pr[S4] = Pr[S3] Pr[AskR4] = Pr[AskRs]. (35) 


In this game, m* is masked by g*, a random value which never appears anywhere 
else. Thus, the input to Ag follows a distribution that does not depend on b. 
Accordingly: 


Pr{S4] = * (36) 


Game Gs: Finally, one chooses at pia C, according the following distribution: 

Rt&émyrt 2€Rat ea Epx(R*,r*). This implicitly defines one pair (Rt, r*), 

but the latter is unknown to the simulator. 

> Rule Chal—Hash) 

The three values at & C, gt & {0,1} and n+ & 
{0,1}" have been chosen/given ahead of time, then set 
at*=at, bX =m*Ogt, c=ht. 

The two games Gs and Gy are perfectly indistinguishable. 





Game G,: In the simulation of the decryption oracle, we may reject even earlier, 
if the corresponding R has not been queried to G: 
> Rule Decrypt—R 

Look up in G-List for (R,g) such that R = D.(a) (using 

the PCA-oracle). If no R is found, then output “Reject”. 
Note that this game differs from the analogous one for the first generic construction 
BR, because the encryption function is not deterministic, as was the permutation f. 
Such a simulation differs from the one in the previous game if the value (R,m, a, b) 
has been queried to H, while G(R) is unpredictable, and thus m = G(R) @ b in 
unpredictable too: 

| Pr[AskRg] — Pr[AskRs]| < ae (37) 


One may now note that the event AskRg leads to the plaintext Rt of at by S in 
the queries asked to G and H. By checking all of them, one gets it: 


Pr[AskRg] < Succg” P(r + (dg + dn)Tpca)- (38) 














This construction is very generic, and achieves practical security. 
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6.4.3. Hybrid REACT. In this REACT conversion, one can even improve effi- 
ciency, replacing the one-time pad [87] by any symmetric encryption scheme: in- 
deed, we have computed some b = m@K, where K = G(R) can be seen as a session 
key used in a one-time pad encryption scheme. But one could use any symmetric 
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FIGURE 15. Hybrid Rapid Enhanced-security Asymmetric Cryp- 
tosystem Transform 


encryption scheme (E, D) that is just semantically secure (under no plaintext nor 
ciphertext attacks). Indeed, the one-time pad achieves perfect semantic security, 
against this kind of very weak attacks. But one can tolerate some imperfection. 
Anyway, most of the candidates to the AES process (the call for symmetric en- 
cryption schemes, from the NIST, to become the new international standard), and 
the AES itself (the winner), resisted to more powerful attacks, and thus can be 
considered strongly secure in our scenario. Therefore, plaintexts of any size could 
be encrypted using this conversion (see Figure 15), with a very high speed rate. 


7. Conclusion 


Recently, Cramer and Shoup proposed the first schemes, for both encryption [23] 
and signature [24], with formal security proofs in the standard model (without any 
ideal assumption). The encryption scheme achieves IND-CCA under the sole DDH 
assumption, which says that the DDH problem is intractable. The signature scheme 
prevents existential forgeries, even against adaptive chosen-message attacks, under 
the Strong RSA assumption [2, 29], which claims the intractability of the Flexible 
RSA problem: 


Given an RSA modulus N and any y € Z,, produce x and a 
prime integer e such that y = x° mod N. 


Both schemes are very nice because they are the first efficient schemes with 
formal security proofs in the standard model, but under stronger computational 
assumptions. We have not presented them, nor the reductions either, which can be 
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found in the original papers. Actually, they are intricate and pretty expensive. In- 
deed, the complexity of the reductions make them meaningful for large parameters 
only. 

Furthermore, as already noted, no ideal assumptions (such as the random- 
oracle model) are required, but stronger computational assumptions are needed: 
the final decision for the best for practical use is not easy. 

Moreover, even if the schemes are much more efficient than previous proposals 
in the standard model, they are still more than twice as expensive as the schemes 
presented along this paper, in the random-oracle model. This is enough to rule 
them out from most of the practical applications. Indeed, everybody wants security, 
but only if it is quite transparent. Therefore, provable security must not decrease 
efficiency. It is the reason why strong security arguments (which are in an ideal 
model, but this can be seen as realistic restrictions on the adversary’s capabilities) 
for efficient schemes have a more practical impact than security proofs in the 
standard model for less efficient schemes. 

Of course, quite efficient schemes with formal security proofs are still the 
target, and thus an exciting challenge. 
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Efficient and Secure Public-Key Cryptosystems 
Tsuyoshi Takagi 


Abstract. Nowadays, RSA cryptosystem is used for practical security appli- 
cations, e.g., SSL, IPSEC, PKI, etc. Elliptic curve cryptosystem has focused 
on the implementation on memory constraint environments due to its small 
key size. In this chapter we describe an overview of efficient algorithms ap- 
plied to RSA cryptosystem and EC cryptosystem. On the other hand, novel 
attacks on the efficient implementation have been proposed, namely timing 
attack, side channel attacks, fault attack, etc. These attacks can break the 
secret key of the underlying cryptosystem, if the implementation method is 
not carefully considered. We also explain several attacks related to efficient 
implementation, and present countermeasures against them. 


1. Efficient Integer Arithmetic 


In this section we show several fast integer arithmetic used for cryptography. 

Let Z be the integer ring. Let Z/nZ be the residue class ring modulo n, 
where n is a positive integer. In this article we set the following representative 
class Z/nZ = {0,1,2,...,2—1}. We denote by (Z/nZ)* the multiplicative group 
of residue n, namely {g € Z/nZ|gcd(g,n) = 1}, where gcd(a,b) is the great com- 
mon divisor of a and b. In cryptography we deal with quite large integers, e.g., 1024 
bits for RSA cryptosystem, 160 bits for elliptic curve cryptosystem. Therefore the 
asymptotic complexity is useful for estimating the running time of cryptographic 
algorithms. Let O(f(n)) be a function h(n) such that |h(n)| < c|f(n)| for enough 
large n with some positive constant c. The basic operations in Z/nZ used for cryp- 
tography are modular addition a+b, modular subtraction a— 6b, modular multipli- 
cation ab, and modular inversion c~!, where a,b € Z/nZ and c € (Z/nZ)*. Their 
asymptotic complexity are O(log n) for addition and subtraction, and O((log n)?) 
for multiplication and inversion [MOV96]. 


1.1. Modular Exponentiation 


The modular exponentiation is the core arithmetic for RSA cryptosystem. It com- 
putes a4 € Z/nZ for given integers a,d, and n. Let d= oa dii]2' be the binary 
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representation of d, where k is the most non-zero bit and d[i] = 0 fori > k -1. 
A standard algorithm of computing the modular exponentiation is the binary 
method, which repeatedly computes squares and multiplications based on the bits 
of exponent d. There are two different directions for implementing the modular 
multiplication, namely right-to-left and left-to-right. The binary methods are as 
follows: 


Binary Exponentiation Method 
INPUT d,n,a, (d[k — 1],..., d[1], d[0]), d[k — 1] =1 
OUTPUT a? mod n 


(Left-to-Right) (Right-to-Left) 

l:tca 1:t<els<a 
2:fori=k—2downto0 2: fori=Otok—1 

3: t—t? modn 3: t — ts“ mod n 

4. te tall modn 4: ifi#Ak-—1, then s—s?modn 
5: return t¢ 5: return t¢ 


The left-to-right computes from the most non-zero bit (d[k — 1] = 1) down 
to the least bit (d[0]). The squaring s = s? mod n is always computed, and the 
multiplication t = ta mod n with the base point a is computed if the i-th bit d[é] is 
non-zero. The right-to-left algorithm prepares two registers s,t. It computes from 
the least bit d[0] to the most bits d[k — 1]. The register s is used for recursively 
computing the squaring s = s? mod n. The register ¢ is multiplied with s if d[i] is 
non-zero bit. 

Both method require (k—1) squaring and (k—1)/2 multiplications on average. 
For example a 1024-bit integer n requires about 1500 squaring and multiplications 
on average. The asymptotical running time of computing the modular exponenti- 
ation is O((log n)°). 


1.2. Window Methods 
If we are allowed to use additional memory, the speed of modular multiplication 
can be improved by precomputing several points. Here we explain a 2”’-ary method 
and a sliding window method. 

The 2”-ary method represents a k-bit integer d = Te d{i]2’ using 2”-adic 
representation, namely 


L(k-1)/w] wol1 
d= S° (dwlj])(2")2, dui] = $5 (d[w7 + h))2". (1.1) 
j=0 h=0 


In order to calculate a modular exponentiation a? mod n, we precompute the fol- 
lowing points a?,a?,...,a?"—!. Then it applies the left-to-right modular exponen- 
tiation to the 2“’-adic representation as follow. 
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2”-Ary Exponentiation Method (Evaluation Stage) 
INPUT d,n, a, (dw{m],...,dw{1], dw[0]),m = [(k — 1)/w] 
OUTPUT a? mod n 

1: t — dy[m] 

2: fori = m-—1 to 0 


3: t—t?" modn 
4: t—tatl mod n 
5: return t 


We estimate the efficiency of 2”-ary method in the following. For the pre- 
computation stage we need 2” —2 multiplications of Z/nZ. In the evaluation stage 
we always compute t?” which requires mw multiplications in total. If the digit by 
the base 2” representation is not zero, we additionally compute t = ta%!], The 
probability that a digit is not zero is (1—1/2”) and thus we compute m(1 — 1/2) 
multiplications on average. In total the 2*-ary exponentiation method requires 
2” —2+m(wt+1-1/2”), where m = |(k—1)/w]|. We show an example of 2”’-ary 
chain form as follows: 


binary string 1001110111100111000101101111000110101011111001 
w=2 1001030103020103000101020303000102020203030201 
w=3 1001006007004007000005005007000006005003007001 


Next we try to reduce the precomputed table size using a different exponent 
recording algorithm. The sliding window method is one of the most efficient window 
method with small table size for the general purposes. While the 2”-ary method 
precomputes all positive integers smaller than 2”, the width-w sliding window 
method precomputes only the odd integers smaller than 2”, namely we represent 
an integer d as follows: 


k 


hs Se diag |t)2°, “gap lt) = 405143560252" 1}, (1.2) 
1=0 


We explain the exponent recording stage of sliding window method. The 
binary bit sequence of d is scanned from the most significant bit. If a zero bit 
appears, we skip to one lower bit. If a non-zero bit appears, we scan lower bits (at 
most w bits) and convert it to the largest odd integer smaller 2”. The converted 
odd integer from the scanned bits is the digit of the sliding window method, and 
the other digits are assigned as zero. The conversion tables for small width w are 
11 — 03 for w = 2 and 101 — 005,111 — 007 for w = 3. We show an example of 
the sliding window chain as follows: 


binary string 1001110111100111000101101111000110101011111001 
w= 2 1000310030300031000100300303000030101003031001 
w=3 1000070007100007000005005007000030005000703001 
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Then the sliding window method computes the modular multiplication using 
the left-to-right binary method. 


Width-w Sliding Window Method (Evaluation Stage) 
INPUT d,n,a, (dsw[k — 1],..-,dsw[1], dsw[0]) 
OUTPUT a? mod n 

1: t — atevle-T 

2: fort = k—2 to 0 


3: t<—t? modn 
4. t—tatll mod n 
5: return t 


The efficiency of width-w sliding window method is known as the following 
theorem. 


Theorem 1.1. The average density of non-zero bits of the width-w sliding window 
chain is asymptotically 1/(w +1). 


Proof. We assume that each bit of the binary string distributes with probability 
1/2. The width-w conversion table can be simulated by a finite automaton with 
two statuses (0) and (NZ) of binary strings, where (NZ) is the w-consecutive bits 
with non-zero leading bit. From the construction, the transition matrix of these 


statuses is as follows: 
(0) : 1/2 1/2 
(NZ) : 1/2 1/2 }° 


Therefore the statuses (0) and (NZ) asymptotically distribute with probability 
1/2. The average bit-length of the non-zero bits and the two statuses is 1 « $ and 
1x 4 + w * 4, respectively. Thus the average non-zero density is asymptotically 


(L* $)/(l*¥$+w*$)=1/(w+1). 














1.3. Montgomery Multiplication 


Let a,b be two elements in Z/nZ, where n is a positive integer. The straightfor- 
ward implementation of modular multiplication ab mod n requires a division with 
remainder, namely we compute the integer r such that ab = qn+7,0<r <n for 
some integer g. The division of integer is an relatively expensive and complicated 
operation for implementation. The Montgomery multiplication is able to avoid the 
division in the modular multiplication. The general description of Montgomery 
multiplication is as follows: 
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Montgomery Multiplication 

“INPUT a,b € Z/nZ, R= 2", (r is bit-length of n), n’ = —n~' mod R.- 
OUTPUT abR7! mod n 

t<—abin Z 

:u< tn’ mod R 

:u<(t+un)/Rin Z 

:ifu>n,thenvcvu-n 

: return v 


oR we 


Montgomery multiplication still utilizes the reduction modulo R in Step 2 
and the division by R in Step 3, where R = 2”. However, these operations are 
quite efficient, because integers in computer system are usually represented as a 
binary representation. The reduction modulo R = 2” in Step 2 is a re-assignment 
of least r bits of integer tn’. The integer t+ un in Step 3 is divisible by R, and the 
division by R is a r-bit right shift operation. 

In the following we explain the correctness of Montgomery multiplication. 
At first we claim that (t+ un) is divisible by R. There are integers k,/ such that 
u=tn’+kR and n'n = —-1+1R. Thus we obtain t+ un = R(tl + kn). Next note 
that (t+ un)/R = (t+un)R7! mod n = tR~! mod n = abR~! mod n. Therefore 
v in Step 3 is contained in the same residue class of the output abR~! mod n. 
Finally we show v is at most 2n, namely (t + un)/R < (n? + Rn)/R < 2n. 

Note that the output from Montgomery multiplication is different from the 
ab mod n. We describe how to apply the Montgomery multiplication to the mod- 
ular exponentiation algorithm. Denote by Mont(a,b) Montgomery multiplication 
for a,b € Z/nZ and R = 2", where r = [logy n]. In the following we explain how 
to compute the modular exponentiation a? mod n using the Mont(-,-), where d 
is an integer. Let d = 37") d[i]2’ be the bit representation of d. We apply the 
left-to-right binary method as follows: 


Binary Method with Montgomery Multiplication 
INPUT d,n,a, (d[k — 1] d(1], d[0]), R? mod n,d[k —1]=1 


OUTPUT a? mod n 

1: t — Mont(a, R?) 

2:8—t 

3: for 2 = k — 2 down to 0 

4 s — Mont(s, s) 

5: if d{i] = 1 then s — Mont(s,t) 
6: s — Mont(s, 1) 

7: return s 


We assume that R? mod n is precomputed. In Step 1 we convert the integer 
ato Mont(a, R?) = aR mod n. In the main loop of the binary method, the integer 
in the register is represented by s = a2*R mod n for some k € Z. Thus we obtain 
Mont(s,s) = s?R mod n in Step 4 and Mont(s,t) = saR mod n in Step 5. After 
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the main loop, the integer is still multiplied with R, namely s = a4R mod n. Then 
we recover it to the standard representation by computing Mont(s,1) = s mod n. 

The algorithm calls only Montgomery multiplication as subroutine. The over- 
heads from the standard binary method are Step 1 and Step 6, namely two Mont- 
gomery multiplications. Therefore, we can efficiently implement the binary expo- 
nentiation using the Montgomery multiplication. 


2. Fast Variants of RSA Cryptosystem 


The RSA cryptosystem is one of the most practical public key cryptosystems and 
is used throughout the world [RSA78]. In this section we show several efficient 
variants of RSA cryptosystems, namely RSA with Chinese remainder theorem, 
Multi-Prime RSA, and Multi-Exponent RSA. 

The original RSA cryptosystem is as follows: Generate two random primes 
p, q, and let n = pg. Compute L = LCM (p — 1,q — 1), and find e,d which 
satisfy ed = 1 mod L. Then e,n are the public keys, and d is the secret key. Let 
M € Z/nZ be the plaintext. The algorithms of encryption and decryption consist 
of exponentiation to the e*® and d‘® powers modulo n, respectively. We encrypt 
the plaintext by the equation: C = M*° mod n. We decrypt the ciphertext by the 
equation: M = C4 mod n. 

We can make e small, but the low exponent attacks should be considered 
([CFPR96], [Cop96], [Has88]). The encryption process takes less computation and 
is fast. On the other hand, the decryption key d must be larger than n!/? to 
preclude Wiener’s attack [Wie90] and its extensions ([VT97], [BD00]). Therefore, 
the cost of the decryption process is dominant for the RSA cryptosystem. 


2.1. PKCS #1 Version 2.1 

We review the RSA primitives described in the PKCS # 1 version 2.1, namely the 
RSA with Chinese Remainder Theorem (CRT) [QC82] and the Multi-Prime RSA 
[PKCS]. 


RSA with CRT. At first we describe the RSA primitive using the CRT [QC82]. 
The secret keys of this RSA variant are the primes p, g and dp, d,, where n = pq and 
d, = dmod p—1,d, = dmod q—1. The value M = C4 mod n can be computed 
from M, = C% mod p and M, = C% mod q using the CRT. We usually use the 
Garner’s theorem: 


M=M,+pV, V=(M,—M,)p™* mod q. 


The inverse value p—! mod q is also stored as a part of the secret key, and we do 


not have to compute the modular inversion, but the total secret key size becomes 
1.5 times larger. In this case, the computation time of Cé mod n using the CRT 
is about 4 time faster than the original one. 
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Multi-Prime RSA. We describe the Multi-Prime RSA [PKCS]. The public key 
(e,n) and the encryption function f(a) = 2° mod n of the Multi-Prime RSA are 
equal to those of the RSA primitive, where e satisfies GCD(e, d(n)) = 1. We 
explain the decryption algorithm in the following. 

At first we describe the simplest case of the Multi-Prime RSA, which uses the 
modulus n = p,p2p3, where p), p2,p3 are primes with the same size. If we carefully 
choose the size of the primes, the modulus n = pip2p3 is secure for cryptographic 
purpose [Sil00]. For example, a 1024-bit Multi-Prime RSA modulus is as secure 
as a 1024-bit RSA modulus as we described in section 2.3. The plaintext M is 
encrypted by C = M* mod n. The secret keys of the Multi-Prime RSA are the 
primes p; and dy, for 1 = 1,2,3, where d,, = d mod p; —1. The message M mod n 
can be computed from M,, = C4: mod p; for i = 1,2,3 using CRT. We use twice 
the Garner’s algorithm for the CRT: 


M = Mpyp, + (pipa)V, V = (M, — Mp.p2)(pip2) mod pz, 
Mp, ps = Mp, + piu, U= (Mp, = Mp, )p7* mod p2- 


The inverse values ((pip2)~! mod p3) and (p;* mod pg) are stored as a part of the 
secret key, and we do not have to compute the modular inversion. 
We describe the Multi-Prime RSA for general modulus n = I];p;, where p; 

are primes 7 = 1,2,...,m as follows: 

Decryption of Multi-Prime RSA 

INPUT C,dp,,.- 5 pms Pis+++sPms 

p(1)inv_pe, p(2)-invps,...,p(m — 1)-invpm 

OUTPUT M 

1: for =1 tom 


2: My, = C4 mod p; 

3: A=M,, 

4: fori =1tom—1 

5: p(t) = p(t — 1)pi 

6: F=Mp,,, 

7: E= F(p(i)inv_pi4i) mod pi41 
8 A=A+p(i)E 

9: Return A 


The plaintext M is encrypted by C = M*° mod n. The relation between the en- 
cryption exponent e and the decryption exponent d is ed=1mod LCM(II;(p; — 1)). 
Moreover, we denote d,, = dmod p; — 1, p(t) = p---p; for i = 1,2,...,m and 
p(i)inv_pis1 = p(i)~* mod pj41 for i= 1,2,...,m—1. Note that p(1) = p; and 
we define p(0) = 1. 


2.2. Multi-Exponent RSA 


In this section, we describe another variant of RSA cryptosystem, called Multi- 
Exponent RSA ((BS02, Tak98}). 
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Generation of the keys: Generate two random primes p, q, and let n = p*q. 
Compute L = LCM (p — 1,q — 1), and find e,d which satisfies ed = 1 mod L 
and GCD(e,p) = 1. Let d, = dmodp— 1 and d, = dmod q — 1. Moreover, 
we pre-compute (p*)~! mod q for the sake of efficiency. We denote (p")_inv.q = 
(p®)~+ mod g. Then e,n are the public keys, and dp, dg, p,q, (p")-inv_q are the 
secret keys. 


Encryption: Let M € (Z/nZ)* be the plaintext. We encrypt the plaintext by the 
equation: 


C= M* mod n. (2.1) 


Decryption: We decrypt M, = M mod p® and M, = M mod q using the secret 
keys. The plaintext M can be recovered by the Chinese remainder theorem. Here, 
M, is computed by M, = C% mod q and M, is computed by the Hensel lifting 
from M mod p = C% mod p. The details of the decryption algorithm is as follows: 


Multi-Exponent RSA Decryption 
INPUT C,e, dp, dg, p, 4; (p ‘)_inv_q, e-inv_p 
OUTPUT M 
2: K = C®-! mod p 
3: A= KC mod p 
4: fori =1tok—1 
pit! = p'p 
F = Ae mod p*t+ 
E=C-—F mod p**1 
B= EK(e.invp) mod p**+ 
A=A+B 
10: V =(M, — A)((p*)-inv_g) mod ¢ 
11: A= A+ (p*)V 
12: Return A 


We explain that the decryption algorithm of Multi-Exponent RSA returns 
the correct value in the following. We prove that M; = M mod p’ can be lifted to 
Mi11 = M mod p**! using the Multi-Exponent RSA decryption by the induction 
of i. We have proved it for i = 1 above. We assume that it is true for 7 = 7 —1, 
which means the algorithm works correct up to 1 = 7 — 1 and we have obtained the 
correct M; = M mod p’ . We will prove that Mj: mod p!*! can be lifted from 
M; using the Multi-Exponent RSA decryption. There is a unique positive integer 
X; <p such that Mj.1 = M; +p’ X; mod p’t". If we find the value X; < p, the 
Mj41 can be computed. From C = (M; +p’ Xj)° = M§+ (p'X; jeM;~ 1 ned ptt, 
we have the following relationship: 





C — M§ = (p'X;)eM§~* mod p’™. (2.2) 
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The value (Me-*)-} mod p = M1~¢ mod p is equal to K = C4?~' = M1~* mod 
p = in Step 2. Thus we obtain the formula of Step 7: 


p) Xj; = (C — F)K(e~' mod p) mod p’*?. (2.3) 


2.3. Size of Secret Primes 


We discuss the size of the secret primes p and qg. The RSA cryptosystem uses a 
composite number of the symmetry type pq, where p and q are the same bit size. 
The cryptosystem proposed in this paper bases its security on the difficulty of 
factoring the modulus p’q. We have to carefully choose the size of p and gq. 

There are two types of fast factoring algorithm to consider: the number field 
sieve [LL91] and the elliptic curve method [Len87]. Other factoring algorithms 
have the same or slower running times, so the size of the RSA-modulus can be 
estimated by these two factoring algorithms ([KR95], [MOV96], [RS97], [Bre00]). 
Let Ly[s,c] = exp((c + 0(1)) log*(N) log log’ *(N)). The number field sieve is the 
fastest factoring algorithm, and the running time is estimated from the total bit 
size of the integer n to be factored, which is expected as L,,{1/3, (64/9)!/3]. If we 
choose n to be larger than 1024 bits, the number field sieve becomes infeasible. In 
our case we have to make the modulus n = p*q larger than 1024 bits. The elliptic 
curve method is effective for finding primes which are divisors of the integer n to 
be factored. The running time is estimated in terms of the bit size of the prime 
divisor p. Its expected value is L,[1/2,21/?]. Note that the running time of the 
elliptic curve method is different from that of the number field sieve, and the 
order is much different. If we choose the primes to be larger than 342 bits, the 
elliptic curve method requires much more time in comparison with the NFS for 
factoring a 1024-bit composite number. 

The factoring algorithm strongly depends on the implementation. The fastest 
implementation record for the number field sieve factored 512-bit RSA modulus 
[RSA155]! and that for the elliptic curve method found a 183-bit prime factor 
[ECMNET]. Here again, we emphasize that there is a big difference in the cost be- 
tween the number field sieve and the elliptic curve method. Therefore, if we choose 
the 1024-bit modulus p?q with 342-bit primes p and q, neither of the factoring algo- 
rithms is feasible, so the Multi-Exponent RSA is secure for cryptographic purposes. 
Silverman discussed the key size based on the cost based analysis and he concluded 
that the 1024-bit modulus p?q with p, q of the same size is secure against both the 
NFS and the ECM [Sil00]. 

We wonder if there exists factoring algorithms against the modulus with a 
square factor p?q. This factoring problem appeared in the list of open problems 
in number theoretic complexity by Adleman and McCurley [AM94], and it is un- 
known whether there exists L,[1/3]-type sub-exponential algorithm which finds 
the primes of the composite number pq. Peralta and Okamoto proposed a factor- 
ing algorithm against numbers of the form p?q based on the elliptic curve method 
[PO96]. They focused on the fact that the Jacobi symbol modulo p7q is equal to 


TRecently, the RSA-160 (530 bits) was factored (See [BFKLB03]). 
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one modulo q, and the running time becomes a little bit faster than that for the 
original elliptic curve method. Recently, Ebinger and Teske reported that their 
algorithm does not improve the running time of the ECM [ET02]. 


2.4. Comparison 


We compare the Multi-Prime RSA with the Multi-Exponent RSA. The running 
time and the size of secret key of both the Multi-Prime decryption and the Multi- 
Exponent decryption are discussed. 

In order to estimate the running times we use the straight-forward algo- 
rithms described in book [MOV96]. An integer is represented }>;"_, uli]b’ with 
base b and digit ul], where b is chosen suitable for computer architecture and 
ult] = 0,1,...,b—1. The multiplication of two base digits is called single-precision 
multiplication (SPM). A multiplication of (n +1) digits and (t+ 1) digits requires 
(n+ 1)(t+1) SPMs (Algorithm 14.12 and Note 14.15 of [MOV96]). A division of 
(n+ 1) digits by (t+ 1) digits requires (n — t)(t +3) SPMs (Algorithm 14.20 and 
Note 14.25 of [MOV96]) We assume that a modular multiplication of (n + 1) dig- 
its requires 2n? +5n+1 SPMs (Algorithm 14.28 of [MOV96]). Let a® mod b be a 
modular exponentiation of (n+ 1) digits, where a,b and x are (n+1)-digit integers. 
If we compute the modular exponentiation using the standard binary method, it 
requires 1.5n(2n? + 5n + 1) SPMs on average. We assume that the computation 
times of an addition and a subtraction are negligible compared with those of the 
multiplication or the division. 

At first we estimate the running time of Multi-Prime decryption. We assume 
that the secret primes p; (for i = 1,2,...,m) are (n + 1) digits. In the beginning 
of Step 2 we reduce the ciphertext C modulo p;, which requires (m — 1)n(n + 3) 
SPMs. Then m modular multiplications of C4: mod p; (for i = 1,2,...,m) are 
computed, which require m(1.5n)(2n? + 5n + 1) SPMs. In Step 5 we compute 
multiplications of (n+ 1) digits and (n+ 1)i digits for i = 1,2,...,m— 2, which 
require (n= Pm Dy +1)n+(m-—2)(n+1) SPMs. In Step 7 we compute m— 1 
modular multiplications of (n+1) digits and (n+1)i digits modulo (n+1) digits for 
i=1,2,...,m—1, which require @5Y™ (2n?+4n)+(m—1)(n+1) SPMs. In Step 8 
we compute multiplication of (n+1) digits and i(n+1) digits for i = 1,2,...,m—1, 
which require (nV (7? +n) +(m—1)(n+1) SPMs. The size of the total secret 
key is (3m — 1)(n +1) digits. If we choose m = 3, then Multi-Prime decryption 
requires 9n° + 34.5n?+31.5n+5 single-precision multiplications and the total size 
of the secret keys is 8(n + 1) digits. 

Next we estimate the running time of Multi-Exponent decryption. Let c be 
the number of modular multiplications modulo n for computing a° mod n using 
some addition chain. For example, we can choose c = 17 for e = 2'© + 1 using the 
standard binary method. We assume that the secret primes p,q are (n+ 1) digits. 
i From Step 1 to Step 3, two modular multiplications of C’” mod p and C“% mod p 
are computed, which require kn(n+3) + 2(1.5n)(2n? +5n+1) SPMs. In Step 5 we 
compute multiplications of (n+ 1) digits and (n+ 1)i digits for i= 1,2,...,k—1, 
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which require (kU) (n+1)n+(k—1)(n+1) SPMs. The computation A® mod p*t! 


for i=1,2,...,4—1 in Step 6 requires c((2n?)(GEVCEF DE —1)+ (5n) (4V4 - 
1) +(k—1)) SPMs. The computation E = C — F mod p’*! for i=1,2,...,k—1 
in Step 7 requires n((3 + n)(k — 1)k + (kn-—n—- 3) Med) - n Goer vk) SPMs. 
The computation EK(e_inv_p) mod p**! for i=1,2,...,k —1 in Step 8 requires 
2n(2n+ 1) Ee). +2(2n?+5n+1)(k—1) SPMs. The CRT part of Step 10 and Step 
11 requires 3kn? + (5k +2)n+2SPMs. The size of the total secret key is 6(n + 1) 
digits, which does not depend on the exponent k. If we choose k = 2, then Multi- 
Exponent decryption requires 6n?+(8c+34)n?+(10c+38)n+(c+5) single-precision 
multiplications. For the encryption exponent e = 2'6© + 1 the Multi-Exponent 
decryption requires 6n® + 170n? + 208n + 22 single-precision multiplications. 

Here we choose the same bit length n = 341, (b = 2) for the primes of both 
the Multi-Prime RSA with m = 3 and the Multi-Exponent RSA with k = 2. Then 
the decryption time of the Multi-Exponent RSA with e = 2'® + 1 is about 1.40 
times faster than that of the Multi-Prime RSA. 





we 





TABLE 1. Comparison of efficiency for 1024-bit modulus 


PKCS #1 Multi-Prime | Multi-Exponent RSA 
RSA (e = 276 + 1) 


Key generation | 880.12 ms 589.08 ms 
Decryption 20.04 ms 14.13 ms 
Secrete Keys | 2736 bits 2052 bits 





In order to demonstrate the efficiency of Multi-Exponent RSA, we imple- 
mented both the Multi-Prime RSA (Multi-Prime decryption with m = 3) and 
the (Multi-Exponent decryption with k = 2,e = 2'© + 1) on a Celeron 500 MHz 
using the LiDIA library version 2.0 [LiDIA] and TurboLinux 6.0. We also imple- 
mented the key generation of these schemes. In Table 1 we show the timings for 
1024-bit modulus with 342-bit primes. The timings in the table are average val- 
ues of 10,000 random instances. The improvements of the Multi-Exponent RSA 
over Multi-Prime RSA is as follows: the key generation is about 49% faster, the 
decryption is about 42% faster, and the key size is about 33% smaller . 


3. Implementation Attack on RSA-CRT 


Recently many attacks on the practical implementation of cryptography have been 
proposed. We describe some attacks on the RSA with Chinese remainder theorem 
(RSA-CRT). The algorithm and notation used in this section are same with those 
of the previous section. 
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Timing Attack. We explain the timing attack proposed by Kocher [Koc96]. The 
decryption algorithm of RSA-CRT computes C“» mod p using the secret key dp, p 
for a given ciphertext C. Before computing C’ mod p, we usually reduce the 
ciphertext C' modulo p in order to achieve the faster decryption. However, if the 
ciphertext C' is smaller than the secret prime p, then the ciphertext C is not 
reduced by modulo p. There is a difference of timing between C < p and C > p for 
computing C“» mod p in the implementation. Let O, be the oracle that answers 
1 (or 0) if C < p (or C > p) for a given ciphertext c. The attacker can recover p 
by the binary search as follows: 


Timing Attack on RSA-CRT 

Input: public key (n,e), bit-length B of p 
Output: secret prime p such that n = pq. 
1. Set C — 27- 

2. For 1 = B—1 down to 0 

2.1. Set A— C+ 2! 

2.2. If O,(C) = 1 holds, then set C— A 
3. Return C. 


We assume that the most significant bit of prime p is one, namely p € 
(28-2, 28-1). In Step 1, we assign the lower bound of the secret prime p. In Step 
2, the approximation of p is computed by adding C with 2' for i = B—3,B— 
4,...,1,0. If the oracle answers O,(C’) = 1, then we know C < p and we assign 
the larger lower bound C <~ A. In Step 3 we return the secret prime p. Recently 
Boneh et al. showed an experimental result of this timing attack in the server-client 
model — some implementation of SSL are vulnerable [BBO03]. 

We explain a standard countermeasure against the timing attack, called the 
ciphertext blinding method. Before decrypting ciphertext C = M* mod n, we 
randomize it by C’ = CR* mod n with a random integer R € Z/nZ. Then C” is 
decrypted by M’ = C’4 mod n = MR mod n. Then the randomness R is removed 
by M = M’R7' mod n. A drawback of this scheme is the expensive computation 
of the inverse R~' mod n. While we can compute R~! mod n using the modular 
exponentiation R®”™—! mod n, it requires a large overhead. 


Fault Attack. We explain the fault attack on RSA-CRT proposed by [JLQ99]. Let 
C = M* mod n be a ciphertext of message M. The fault attack tries to manipulate 
one bit of the message modulo qg (we call Mj) during the decryption of C' (the 
message modulo p remains correct). Then the resulting message obtained by the 
Garner algorithm is 


M’ = M,+»pV, V=(M,- M,)p—‘ mod q. 
Note that M’ = M mod p and M’ 4 M mod gq, and thus the modulus can be 
factored by computing gcd(M — M’,n). 
This attack was extended to more sophisticated fault attack ([BDLO1, KR02)), 
etc. Aumiiller et al. showed an experimental result of this attack [ABF* 02]. They 
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also proposed a countermeasure, which checks every process during the decryption, 
e.g. M, = M mod p, M° = C mod », etc. 


SPA/DPA. Kocher et al. proposed the power analysis against the cryptographic 
devices, namely the simple power analysis (SPA) and the differential power analysis 
(DPA) [KJJ99]. SPA tries to break the secret information by using a single power 
consumption as leaked data, and DPA additionally uses statistical analysis of the 
power consumption. The binary method for computing the modular multiplication 
C4 mod n is vulnerable against SPA. The power consumption required for squaring 
and multiplication is not completely same, and the SPA can distinguish the two 
operations. Messerges et al. experimentally showed the binary method is vulnerable 
against SPA [MDS99]. An experimental DPA against the modular multiplication 
C%» mod p was demonstrated by den Boer et al. [BLW02]. The ciphertext blinding 
method resists this type of attacks. The other countermeasure is the exponent 
blinding method, which randomizes the secret exponent by computing d’ = d+ 
o(n)r for some integer r. 


Novak Attack. Novak proposed an SPA against the Chinese remainder theorem 
part [Nov02]. He focused on the following implementation of M, — M, mod q; first 
compute y = M, — M, and then y = y+q if y = M, — M, < 0 holds. The 
experimental result shows the side channel information of y= M, — Mp < 0 can 
be detected by SPA. 

Novak developed a binary search algorithm of finding secret prime q using the 
oracle 6 that answers 6(7) = 1 for x < 0 and 6(x) = 0 otherwise. The characteristic 
function 6 has the following property. 


Lemma 3.1. Let q > p. In ascending order of x = 0,1,2,..., the sign d(x) has the 
pattern 

BG) SU Monn BOI ey. dace LO oO dehy a, 
If 6(a —1) =1 and d(x) = 0 hold, then q|x (q is a divisor of x). 


Proof. We divide Z/nZ into two parts, namely Z/nZ = LPUUP, where LP = 
{0,1,...,p—1}, UP = {p,p+1,...,n—1}. Note that 6(x) = 1 holds for all a € LP 
due to q > p. Thus we assume that « € UP. Let f(a) = « mod q— «x mod p, then 
O(a) = 1 iff f(a) > 0. Next 6(kq) = 0,6(k¢q — 1) = 1 holds for 0 < k < p, because 
of f(kq) <0 and f(kq—1) > (¢—1)— (p—1) = 0. Moreover, 6(k’p) = 1 holds for 
0 < k’ <q. Thus, two sets x mod p and x mod q have the following pattern: 


xmodg = {...,¢q—2,q—1,0,1,2,...}, 
xmodp = {...,J—2,l—1,1,14+1,14+2,...}, 
where / is an integer 0 < 1 < p. Once tmodq > t mod p holds for successive 


t mod q, then 6(x) = 1 for = t,t+1,...,q—2,q—1. Thus the corresponding 
5 sequence is d(#) = 0,...,0,1,...,1 for « mod gq = 0,1,2,...,q— 1 and some 
Sa 7 


q-s s 
integer s. Consequently we have proved the proposition. 
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From this lemma we can construct a binary search algorithm for secret prime 

q in the setting of the adaptive chosen ciphertext attack. 

Novak Attack on RSA-CRT 

Input: public key (n,e), bit-length B of p 

Output: secret prime q such that n = pq 

1. Choose 2,21 € Z/nZ s.t. ao > 21, 1 — Xo < 27, d(a0) = 1,6(a1) =0 

2. Set DB = x20,UB = 

3. While LB #4 UB do the following 

3.1. M = |(LB+UB)/2} 

3.2. Compute 6(M) of C = M*® mod n 

3.2. If 6(M) = 1, then LB = M, otherwise UB = M 

4. Compute q = gcd(M,n) 

5. Return q 


We should note that Novak’s attack is effective for M, ~ M, only, because 
y often takes different signs. A countermeasure against SPA is to always compute 
y’ = y+4q, and then we choose y’ if and only if M, — M, < 0. Note that the 
exponent blinding method does not resist Novak attack. 


Remark 3.2. The timing attack and Novak attack are effective on the chosen 
ciphertext attack setting. However, they are not feasible to the probabilistic sig- 
nature, e.g., RSA-PSS [PKCS]. Even if the attacker chooses a message M, it is 
randomized by padding function p such that p(M). The attacker cannot control 
the size of p(M). Very recently, Fouque et al. proposed an extension of Novak 
attack on RSA with the randomly chosen messages, but this attack is restricted 
to the unbalanced modulus s.t. p % q [FMP03]. 


4. EPOC Cryptosystem 


EPOC-2 is a public-key cryptosystem that can be proved IND-CCA2 under the 
factoring assumption in the random oracle model. It was written into a standard 
specification P1363 of IEEE, and it has been a candidate of the public-key cryp- 
tosystem in several international standards (or portfolio) on cryptography, e.g. 
NESSIE, CRYPTREC, ISO, etc. 

In this section we analyze a chosen ciphertext attack against EPOC-2 from 
NESSIE by observing the timing of the reject signs from the decryption oracle. We 
construct an algorithm, which can factor the public modulus using the difference of 
the reject symbols. For random 384-bit primes, the modulus can be factored with 
probability at least 1/2 by invoking about 385 times to the decryption oracle. 


4.1. EPOC-2 Cryptosystem 


We review the EPOC-2 encryption scheme in the following. There are several differ- 
ent versions of EPOC-2 as scientific papers ([FO99b], [FO01]) or as specifications of 
international standards (or portfolio) ([IEEE], [NESSIE], [CRYPTREC}), etc. Here 
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we consider the current specification and the notation of the self-evaluation report 
that were submitted to the 2nd phase of NESSIE project [NESSIE]. The specifi- 
cations of EPOC-2 from IEEE and CRYPTREC are similar to that of NESSIE. 


Key Generation 


pLen, the bit length of prime p 

n= p’q, the modulus, g € Z/nZ s.t. plord,2(g) 

Ip = 9g mod p?, h = g” modn 

Public-key: (n,g,h,pLen), Secret key: p,q, 9p 

m € {0,1}*, a message, o € {0,1}?"°"", a random integer 
op H(m,0,¢2) mod n 


@2=meG(c)a=g 
The ciphertext: (c1, c2) 
(= [ler]]o) 


If |o*| < pLen — 1, then go to next step, otherwise return Reject, 
m* =c2@G(o*), ifa = gr nes 72) mod q holds, 
then output m* as decryption of (ci,c2), otherwise return Reject. 





FIGURE 1. EPOC-2 Cryptosystem 


EPOC-2 is an probabilistic encryption scheme based on the hardness of the 
factoring problem of n = p?q, where p,q are distinct prime numbers. Let pLen be 
the bit-length of the prime p. In the key generation, we additionally generate an 
integer g of Z/nZ such that plordy2(g) (the order of g mod p? in group Z/p?Z is 
divisible by p). Moreover, we compute gp = g mod p? and h = g” mod n. Then the 
public-key and the secret key of EPOC-2 are (n, g,h, pLen) and (p,q, gp), respec- 
tively. Let G be a mask generation function: {0,1}?%°"—! — {0,1}* and let H be 
a hash function: {0,1}* x {0,1}?4e"—1 x {0,1}* — {0,1}""°", where rLen is the 
bit-length of the output of the hash function H, defined by the security parameter 
for primes p,q. There are several variations of EPOC-2 in the key generation (e.g. 
h of CRYPTREC is chosen differently), but the proposed attack is not affected by 
its variations. 

The encryption of EPOC-2 is computed as follows: m € {0,1}* is a message 
with arbitrary bit length. For a random integer o € {0,1}?4°"~1, we encrypt the 
message m as follows: cz = m@ G(a), c1 = g7h("™2) mod n. The ciphertext of 
m is C = (c1, c2). 

The decryption of EPOC-2 is as follows: At first the first component c; of 
the ciphertext C' is decrypted by computing o* = L(g! mod p°)L(ge-* mod 
p”)~! mod p, where L(x) = (a — 1)/p. We also denote by [[c:]], = L(~* mod 
p’)L(ge—' mod p”)~' mod p. Here we have the first reject function based on the 
size of o*. Let |o*| be the bit-length of o*. If |o*| > pLen—1, we stop the decryption 
procedure and return Reject. Otherwise we go to next step. This rejection function 
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is necessary in order to prevent the attack proposed by Joye, Quisquater, and 
Yung [JQY01]. We denote by Reject 1 this reject symbol. Note that the ciphertext 
C = (c1,€2) with c, = g" mod n for integer r < 2?4°"-! and random integer 
co € Z/nZ is not rejected by this test and go to next step, although C is an 
invalid ciphertext (it is rejected in the next step). The message m* is decrypted 
by computing m* = cg ® G(o*). Here we have the second rejection function. 
If cy = g? h#(m".2".2) mod q holds, then output m* as decryption of (c1,c2), 
otherwise return Reject. 


History of EPOC. We shortly review the history of the specifications of EPOC 
family. We mainly discuss how the reject symbol that is returned by the decryption 
oracle has been changed. 

The cryptographic primitive of EPOC was proposed by Uchiyama and Oka- 
moto at EUROCRYPT’98 [OU98]. The one-wayness and the semantic security 
(IND-CPA) of the primitive are as secure as factoring and p-subgroup problem in 
the standard model. The EPOC primitive has no reject symbol in the decryption 
oracle, so that it is insecure against the chosen ciphertext attack. Indeed, Joye, 
Quisquater, and Yung proposed a chosen ciphertext attack against the EPOC 
primitive at rump session of Eurocrypt’98 [JQY98]. Let c be the ciphertext of m, 
which is larger than the secret key p. If the attacker obtains the decrypted message 
m’ of the ciphertext c, the modulus n of the EPOC primitive can be factored by 
computing gcd(m — m’,n) = p. 

At CRYPTO’99 Fujisaki and Okamoto proposed a conversion technique that 
enhances the EPOC primitive to be IND-CCA2 under factoring assumption in the 
random oracle model [FO99b]. In the decryption process the conversion checks the 
integrity of the ciphertext by re-encrypting the message. This version of EPOC 
was submitted to the IEEE P1363a on October 1998 [IEEE]. Joye et al. proposed 
a chosen ciphertext attack against the submission (ver. D6 of EPOC-2 in IEEE) 
[JQYO1]. We call it the JQY attack. The JQY attack based on the chosen ci- 
phertext attack against the EPOC primitive [JQY98], and the attack tries to find 
the approximation of the secret prime p by adaptively asking ciphertexts (whose 
message is as large as p) to the decryption oracle. In the paper [JQY01] they sug- 
gested that if the decryption oracle checks the size of the integer decrypted by the 
EPOC primitive, the JQY attack is no longer successful. The reject symbol arisen 
from this rejection function is called Reject 1 in Section 4.2. The current version 
of EPOC-2 from IEEE supports this reject function and the JQY attack does not 
work for it. 

The security reduction from [FO99b] was evaluated for general cryptographic 
primitives and the advantage of the reduction was not so tight. Fujisaki and 
Okamoto proved the better security reduction in the paper [FOO1]. In that pa- 
per they included the reject treatment proposed by Joye et al. (Reject 1). 

EPOC-2 have been proposed at NESSIE 1st/2nd phase [NESSIE], at CRYP- 
TREC 2000/2001 [CRYPTREC]. These versions support the rejection function 
(Reject 1). We notice that the specification of the EPOC-2 from NESSIE 1st phase 
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is different — the decryption oracle returns only one reject symbol after complet- 
ing all steps of the decryption process. Although EPOC has not incorporated into 
the draft of ISO Standard, EPOC-2 will be included in the standard [Sho01]. 

We summarize these history of EPOC related to the reject function in the 
next table. 


EPOC Version Based | Based Paper | JQY Attack 
EPOC Primitive ccm NO YES 
IEEE (ver DO) YES 
IEEE Version aa YES NO 
CRYPTREC Version [FOO1] YES NO 
NESSIE Version [FOO1] YES NO 





4.2. Reject Timing Attack on EPOC-2 


We describe the reject timing attack against the current version of EPOC-2. Dent 
initially proposed a reject timing attack against EPOC-2 cryptosystem [Den02a]. 
The attack is based on the JQY attack [JQYO1]. Although the current version of 
EPOC-2 is secure against the JQY attack, the reject timing attack can break it 
using the timing of the two different rejection symbols. 

At first we show an observation on the decryption algorithm of EPOC-2. In 
the decryption process, the calculation of the integrity check c, = g? h#(™ 7" +2) 
mod q is executed if and only if |o*| < pLen—1 holds. It has two modular exponen- 
tiations modulo q and their running time is relatively slow — several milliseconds 
in standard computation environments. The timing attack, which measures the 
timing of receiving Reject from the decryption oracle, can observe the calculation. 
Therefore we use the following assumption: 


For any ciphertext C' = (ci, cz), the attacker can know that o* = [[c1]]q 

satisfies ¢ € {0,1}?%°"-! or not by asking the ciphertext C to the 

decryption oracle. 
From this assumption, the attacker can tell the difference of two reject symbols: 
the error of the primitive decryption (Reject 1) and the error of the integrity check 
(Reject 2) in the decryption oracle. If the decrypted ephemeral integer o* by the 
EPOC primitive is large than 2?/°"—!, then Reject 1 is returned. The reject symbol 
Reject 2 is returned, if both |o*| < pLen—1 and c; £ g? h#(™7":) mod q for 
m* = co ® G(o*) hold. 


~* mod p(= [[ci]]q) 
If |o*| < k —1, then go to next step, otherwise return Reject 1, 


m* =c20G(o*), ifa = g? him" ,o",c2) mod gq holds, 
then output m* as decryption of (ci, c2), otherwise return Reject 2. 





We state this observation as the following lemma. 


Lemma 4.1. Let C = (c1,c2) be a ciphertext of EPOC. Let o* = |[ci]]q be the 
ephemeral integer decrypted by the EPOC primitive. We have the following condi- 
tions: 
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(1) o* > 2Pben—1 =, Reject 1, 
(2) cp Fg? h#(m™.2"-c2) mod q for m* = co ® G(o*) => Reject 2. 


Main Idea. We describe the main idea of our attack. Let C = (c1,c2) be a valid 
ciphertext of EPOC-2. Let o* = [[ci]],. The attacker manipulates the ciphertext 
C by multiplying it with an integer D = g* modn, namely C’ = (c,/D mod 
n,c2). The ciphertext C’ is rejected in the decryption oracle with overwhelming 
probability, because the second integrity check fails (c, 4 g? h#":7"-°) mod q 
for m* = c2®G(o*)). However the attacker can know a relation of o* and a based 
on the rejection symbols: Reject 1 or Reject 2. Indeed we have the following lemma. 


Lemma 4.2. Assume p > 2?4°"-1 4 @ for a positive integer a < 2P%"—1, Let 
C = (c1, cz) be a ciphertext of EPOC-2. Let |[c1]]g = o*. The reject symbol against 
the ciphertezt C’ = (c,/D,c2) with D = g* mod n is equal to Reject 2 if and only 
if o* > a holds. 


Proof. Note that [[c:/D mod n]], = 0* — a mod p. If o* > a holds, then we have 
[[c1/D mod nJ]g = o* — a < 274°"! and the reject symbol is Reject 2. If o* <a 


holds, then we have [[c:/D mod n]|, = o* — a+ p. Because of o* —-a+p > 
o* + Qphen—1 s oplen—1 the ciphertext C’ is reject with Reject 1. 














Therefore the difference of the reject symbols yields an oracle, which answers 
that the condition o* > a holds or not for a given ciphertext C = (c1,c2) and an 
integer a, where [[c:|], = o*. If we ask the ciphertext C with different many a to 
the decryption oracle, the attacker can find the approximation of o*. 

Once we know an algorithm which answers o* = |[ci]], for a given ciphertext 
C = (c1,c2), we can factor the modulus n. We have the following lemma. 


Lemma 4.3. Let c. = g° modn with o > p. If we know the decryption o* = 
L(&~" mod p’)L(g?~* mod p”)~' mod p = [[ei}]g, then we can factor the modulus 
by computing gcd(o — o*,n) = p. 











Proof. Because o* = [[ci]], = @ mod p holds, we have p|(a — o*). 





This lemma is used for the security proof of the EPOC primitive [OU98] and 
the chosen ciphertext attack on the EPOC primitive (JQY attack) [JQYO1]. 

In the following we will construct an algorithm that finds o* for a given 
ciphertext c, and an integer o using the oracle above. We show the high level 
description of the attack as follows. 


1. Choose an integer o such that ¢ > 2?4" > p. Compute c; = g? mod n. Let 
C = (ci,C2) be a ciphertext for random co € {0,1}*. 

2. The attacker asks the manipulated ciphertext C’ = (c1/D,c2) to the decryp- 
tion oracle, where D = g* mod n for some integers 0 < a < 2?°"—1, He/She 
analyzes the reject symbols for the ciphertexts C’. 

3. The attacker outputs o*(= 0 mod p) and factors n by gcd(o — o*,n). 
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Initialization. In the beginning of the attack, we require a ciphertext c; = g’ mod 
n with o > p and o* = a modp < 2?/°"—!, This condition is easily tested by 
asking the ciphertext C = (ci, c2) to the decryption oracle. 

If we choose the o from the interval [2?4°", 2?4°"+1], then o mod p < 2P4en—1 
is satisfied with probability at least 1/2. Thus we have the following initialization 
for our attack. 


Initialization 

Input: n, g,pLen 

Output: C = (c1,¢2) with o > p,o* =o mod p < 2Phen-1 

1. Generate o Ep [2?2°", gphentT) 

2. Compute C = (ci, c2), where cy = g? mod n, co Er {0,1}* 

3. Ask C' to the decryption oracle. If we receive Reject 1, goto step 1 
4. Return C 


Outline of Attack. We explain the outline of the reject timing attack. The attack 
guesses the bits of o* = o mod p from the most significant bit. From Lemma 4.2, 
the attack can guess o* is larger or smaller than a given bound. Let UB, LB be 
the upper bound and lower bound of o* known by the oracle call, respectively. UB 
and LB are stored as temporary values. The attacker tries to shrink the distance 
LB-—UB by asking the oracle. {From the initialization, we have LB =0 and UB = 
gpLen—! in the beginning. Moreover we assume that p > 2?4¢"—1 4 Qphen—2. which 
is satisfied with probability at least 1/2 for randomly chosen pLen-bit primes. 

We explain how to guess whether o* > 2?4¢"-? or not. We assume that the 
ciphertext is already initialized. Let D = g* mod n for a = 2?4°"—?, If we ask the 
ciphertext C’ = (c1/D mod n,c2) to the decryption oracle, from Lemma 4.2 we 
have following relationship: 


(1) o* > 2QPhen—2 e» Reject 2 
(2) o* < 2PLen—2 2s Reject 1 


Therefore we know the o* is in intervals [0,2?4°"—?] or [2P%er—?, aPLen—1)_ Indeed 
we assign LB = Av if Reject 2, otherwise, UB = Av, where Av = (LB +UB)/2. 

In order to guess the next most bits, the following normalization of the ci- 
phertext is executed. If o* is in the upper interval [2?4¢"-?, 2P4e—1), then the ci- 
phertext is normalized by calculating c,/D mod n with integer D = g® mod n for 
GB = 2Phen—1_ Here c,/D mod n was already computed in the previous step, and we 
just assign c, = c1/D mod n if integer o in the upper interval [2?%¢"~?, 2P2en—1), 

Then we manipulate the ciphertext c,/D = g* modn for a = 24ers, 
iFrom p > 2P4er-1 4 gpLlen—2 the prime p satisfies the assumption of Lemma 4.2 
for a = 2P/e"—-3 namely p > 2Phen—1 4 gpLen—3_ By asking C’ = (c1/D,c2) to the 
oracle, we know o* is in the intervals [0,2?4°"—}, [2?4e"—3  aphen—2) | and thus o* 
is in one of intervals [(i — 1)2?4e"—3, i2P4e"—3) for i = 1,2. Consequently we assign 
the new upper/lower bound of o* by selecting LB = Av if Reject 2 or UB = Av 
otherwise, where Av = (LB + UB)/2. 
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If we iterate these steps, the lower bits of integer o* can be found. We even- 
tually find the approximation of o* with a small error bound. 


Details of Algorithm. We describe the algorithm that factors the modulus n using 
the reject timing attack. 


Reject Timing Attack on EPOC 

Input: n,g,pLen (Public Key) 

Output: p,q (Secret Primes) 

1. 0, C = (c1, c2) < Initialization(n, g, pLen) 

. LB =0,UB = 2Pren-1 

. For i = 2 to pLen 

a = 2phen-t 4 — ci/g* mod n 

. Av = (LB +UB)/2 

. Ask C' = (A, c2) to the decryption oracle for random c2 
. If Reject 2, then cy = A, LB = Av 

. If Reject 1, then UB = Av 

.Ifn > p= ged(o — o*,n) > 1 for o* € [LB,UB], then compute q = n/p”. 
. Return p,q 


COMONA TAR WH 


In step 1, the first component c; of the ciphertext satisfies o* = [[c]], < 
grLen—1. The difference UB—LB in step 9 is at most 2 because we iterate pLen—1 
times the approximation finding algorithm. The gcd computation in step 9 is 
performed at most twice. 

If gcd(o — o*,n) = 1 or n holds, the algorithm fails to factor the modulus. 
If the prime p satisfies the condition p > 2?er—1 + QP4er—2 | the algorithm always 
outputs the prime p due to Lemma 4.2. If we chose randomly the prime from 
gplen-l < » < QP4en. this requirement is satisfied with probability at least 1/2. 
Thus we have the following theorem. 


Theorem 4.4. Algorithm RTA_EPOC can factor the modulus n with probability at 
least 1/2 if the secret prime p is randomly chosen from pLen-bit primes. 


Note that our attack is not restricted to these above conditions. The algorithm 
works in general situations, although the probability of success may change. 


An Example. We demonstrate an example of the reject timing attack against 
EPOC-2. A key from the test vector distributed by NTT [EPOC] is examined, 
namely the public key we tested is as follows: 


g = 2 

n =  415208224631423850535586704499054368875 199978155445 1624701106598380392 
1542404818130493308730652602259005592361720580572637999435883733867663 
8939981704437437451639350210369269495068539708532435959993658412592819 
4115043204081322843398774201030468222769615766429364969134206293259707 
9108707252040308702094410062749766137657427879520751496889474301533 


The initial integer o should satisfy both o > 2?4¢" and o* =o mod p < 2P/er—1, 
The criteria o* < 2?/°"—! is examined by asking C = (c1,c2) to the decryption 
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oracle, where cy = g® mod n and cg is an random integer. We chose the following 
value: 


o@ =  459673101604635995219856896542867619161831215705589851585465126859 
600945206135700890840822595308528953765266714945265 


Then we compute the main loop of the reject timing attack. At step 7 the cipher- 
text C = (c1,¢2) is manipulated by computing c;/D mod n with D = g* mod n 
for a = 2P?4e"—* for some integers. The manipulated ciphertext is asked to the de- 
cryption oracle and the attacker knows the lower bound LB and the upper bound 
UB of the approximation of integer o*. The difference UB — LB is shrinking for 
each iteration. We list up several first and last values of the lower bound LB and 
the upper bound UB of integer o* from our experiment. 





a Rejection | LB (Lower Bound 
UB (Upper Bound 

2 Reject 2 LB|2| = 0 
U B|2} = 985050154909861980306976002503590345 126993481761636166 
6987073351061430442874302652853566563721228910201656997576704 





U BI3] = UB[2 


a Reject 2 | LB = LB 
U BU] = 738787616182396485230232001877692758845245111321227125 
0240305013296072832155726989640174922790921682651242748182528 


382 Reject 1 
UB = LB[381 
383 Reject 2 = LB[382 
U Bl383] = 50670023607970887958773558071218657566602227664593135 
56096647551492187643373325124918522171908865342977731283270070 


384 Reject 1 LB|384] = 50670023607970887958773558071218657566602227664593135 
56096647551492187643373325124918522171908865342977731283270069 





3 Reject 1 LB|3] = 492525077454930990153488001251795172563496740880818083 
3493536675530715221437151326426783281860614455100828498788352 




















U B[384] = LBI383 





At the end of the main loop, we know UB — LB = 1. Finally we compute gcd(o — 

o*,n) for integer o* € [LB[384], U B[384]]. If 0 < gcd(a — o*,n) < n holds, we 

obtain the secret prime p = gcd(o — o*,n) and the other factor by computing 
q = n/p’. In our example, we have successfully obtained the secret prime p. 
gced(o —o*,n) =  3788384160365324220199829506131214611709758274492754483578 
070660900906313023019798049352503528330530089896 1285972933 


How to Repair EPOC-2. The reject timing attack against EPOC is effective, be- 
cause there are two different rejection processes. One possibility to resist the attack 
is to use only one rejection function. 
Modified Decryption 
o* = L(cP 
m*=c2@G(o"*), c= g? hm." .02) mod q. 


Event 1 = {|o*| < k— 1}, Event 2 = {c1 = cj}. 
Set [ = {Event 1 A Event 2}. 
If [ = 1, output m* as decryption of (ci, cz), otherwise, return Reject. 
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The decryption oracle always computes both o* and cj. Then the Boolean 
logic functions Event 1 = {|o*| < k — 1} and Event 2 = {c; = cj} are evaluated. 
Then the control bit T = {Event 1 A Event 2} is assigned. If [ = 1 holds, m* 
is output as the decryption of (ci, c2), otherwise Reject is returned. Because the 
timings for computing the values of Event 1 and the control bit T are negligible, 
the attacker can not know the value of Event 1. 

On the other hands, the implementer also has to care the treatment of Event 
1 and Event 2. If the history of Event 1 is stored in a log file, then the attacker 
can perform the reject timing attack by knowing the log file. This was discussed 
by Manger [Man01] and was extended to the memory dump attack [KCJ*01]. As 
described in the current version of PKCS #1, the implementer should make efforts 
not to correlate Event 1 with the decrypted ciphertexts. 


4.3. Relation to Other Cryptosystems 


In this section we discuss how the reject timing attack can be extended to other 
provably secure cryptosystems. 

EPOC-2 consists of the encryption primitive from Okamoto and Uchiyama 
[OU98] and the conversion technique from Fujisaki and Okamoto [FO99b] that 
makes the encryption primitive semantically secure against the chosen ciphertext 
attack. We can consider two possible variations of EPOC-2: (1) to replace the 
conversion technique to others. (2) to replace the encryption primitive to others. 
We discuss how these variations are secure against the reject timing attack. 


Other Conversion Techniques. We can convert the EPOC primitive to be se- 
cure against the chosen ciphertext attack using different conversions. Fujisaki and 
Okamoto proposed a conversion technique that converts an IND-CPA scheme to 
be IND-CCA [FO99a]. The Fujisaki-Okamoto conversion with the EPOC primi- 
tive is called EPOC-1. The EPOC primitive is IND-CPA under a non-standard 
assumption, e.g. the p-subgroup assumption [OU98], and there is no significant 
advantage for EPOC to use this conversion. Pointcheval proposed a general con- 
version technique that can convert a one-way function to be IND-CCA2 [Poi00]}. 
However the security reduction is not so tight. A conversion technique that has the 
tight security reduction from the encryption primitive is the REACT conversion 
[OP01], which is based on the conversion proposed Bellare and Rogaway [BR93]. 
The REACT conversion with the EPOC primitive is called EPOC-3. In Figure 2, 
we show a construction of EPOC using REACT conversion, which is modified — 
the original description in [OP01] does not support two different rejection sym- 
bols — in order to compare the security of the converted scheme against the reject 
timing attack with that of EPOC-2. 

Here A is a hash function that tests the integrity check in the decryption 
oracle. In this construction there are two different reject functions. If the timing 
of calculating m* = cz ® G(o*) and cs = H(m*,o*,c1,c2) are relative slow, then 
the attacker have a possibility to tell the difference between two reject symbols. 
However, the computation time of hash functions is generally very fast. On the 
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m € {0,1}*, a message, o € {0,1}?"°"", a random integer 
c2 =m Go), c1 = g7h" mod n for random r € {0,1}""°” 
c3 = H(m,o,¢1,c2) 

The ciphertext: (ci, c2, 3) 


Decryption of c 


If |o*| < pLen — 1, then go to next step, otherwise return Reject, 
m* = c2 @ G(o*), if c3 = H(m*,o*,c1,c2) holds, 
then output m* as decryption of (ci, c2,c3), otherwise return Reject. 





FiIGuRE 2. EPOC using REACT Conversion 


other hand, the integrity check of EPOC-2 computes two modular exponentiations. 
The attacker has a larger chance to break EPOC-2 using the reject timing attack. 
Similarly the EPOC-1 using the Fujisaki-Okamoto conversion is vulnerable against 
the reject timing attack, because it utilizes the re-encryption technique. 

Coron et al. proposed the GEM family ([CHJPPT02a], [CHJPPT02b]). The 
construction of their conversion technique is based on hash functions and a sym- 
metric key cryptosystem — the invalid ciphertexts are rejected by the integrity 
test using the hash functions and the symmetric key cryptosystem. The compu- 
tation time of these integrity test are much faster than that of the re-encryption 
test of EPOC-2, and the reject timing attack on GEM family is more difficult. 


4.4. Other Encryption Primitives 


The conversion technique by Fujisaki and Okamoto is designed for converting any 
one-way function to be IND-CCA2 [FO99b]. The Fujisaki-Okamoto conversion is 
applicable to other cryptographic primitives. We discuss the possibility of adapting 
our attack to other primitives. 

We shortly describe their conversion technique in the following. We do not 
describe the hybrid version using symmetric key system, but the scheme using 
hash functions. Let (pk, sk) be the public key for a given security parameter k. 
Let MSP be the message space and let k, be the size of message space. Ep, is the 
encryption function that encrypts a message in MSP with k2-bit random integer. 
Dsx is the decryption function that satisfies Dsx(Epx(o,r)) = 0 for o € MSP and 
a random k-bit integer r. We use a hash function h : {0,1}"* > {0,1}*, and 
a mask generation function g : {0,1}* — {0,1}*2. In Figure 3 we describe the 
Fujisaki-Okamoto conversion technique. 

Here we have two different rejection functions. The first one is arisen from 
checking Dsx(c1) € MSP. In the case of EPOC-2, the message space MSP is equal 
to {0,1}?4"-!, which is strictly smaller than the space of D,,(c1). Here, most 
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m € {0,1}*, a message, o Er MSP, 
c2 =m G(o), c1 = Epx(o, H(m,c)) 
The ciphertext: c = (ci, c2) 


o* = Dsk(c1), 

If o* € MSP, then go to next step, otherwise return Reject, 

m* = co © G(o*), if c1 = Ep. (o*, H(m*,o*)) holds, 

then output m* as decryption of (ci,c2), otherwise return Reject. 





FIGURE 3. Fujisaki-Okamoto Conversion 


standard cryptographic primitives like RSA, ElGamal-type encryption are permu- 
tation and they satisfy the following condition: 


MSP = {Dsx(c1)|¢1 = Epr(o,7) for o € MSP,r € {0, 1}F2}, (4.1) 


The message space MSP is not smaller than the space of the decrypted messages. 
Therefore, any ciphertexts are not rejected by the first test. However, when we 
design a new cryptographic primitive, we have to care the treatment of the reject 
function. 

The cryptographic primitives that have the degenerated MSP are the Rabin- 
type cryptosystem ({[Bon01], [NSS0O1]) or the NICE cryptosystem [BSTO1]. It is 
an interesting problem to investigate the security against the reject timing attack. 
Note that Manger’s attack [Man01] is not effective on the Rabin-type cryptosystem 
because the Rabin primitive has no reject function based on the size of the integer- 
to-octet conversion. On the other hand, Paillier primitive is known as an extension 
of EPOC to the ring Z/n?Z where n is the RSA modulus [Pai99]. The message 
space of the Paillier primitive is Z/nZ, which is equal to that of the decrypted 
messages, and thus the Paillier primitive has no reject function based on checking 
Dsx(c1) € MSP. We can not break the cryptosystem based on the Paillier primitive 
using the reject timing attack. 


5. Elliptic Curve Cryptosystem 


In this section we explain several efficient algorithms used for elliptic curve cryp- 
tosystems. 

We assume that K = F, (p > 3) be a finite field with p elements. Elliptic 
curves over Kk can be represented by the equation 


E(K) :={(2,y) € K x K|y* = 2? +a2+) (a,b € K, 40° +270? 4 0)}UO, (5.1) 


where O is the point of infinity. Every elliptic curve is isomorphic to a curve of this 
form, and we call it the Weierstrass form. An elliptic curve E(k) has an additive 
group structure. Let Pi = (1, yi), Po = (@2, y2) be two elements of E(ic) that are 
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different from O and satisfy P2 #4 +P,. Then the sum P; + P2 = (x3, y3) is defined 
as follows: 

XL3 = d? — %1— %2, ¥3 = N(a@1 — x3) — V1, (5.2) 
where A = (y2—y1)/(%2—21) for P, A Po, and \ = (3a7+<a)/(2y1) for P) = Po. We 
call P,; + P2(P, 4 P2) the elliptic curve addition (ECADD) and P, + P2(P; = P2), 
that is 2P;, the elliptic curve doubling (ECDBL). Let d be an integer and P be a 
point on the elliptic curve E(K). The scalar multiplication is to compute the point 
dP . There are several enhancements of the scalar multiplication. The first one is 
to represent the elliptic curve E(K) with a different coordinate system, whose 
scalar multiplication is more efficient. For examples, a projective coordinate and a 
class of Jacobian coordinate has been studied [CM098]. The second one is to use 
an efficient addition chain. The addition-subtraction chain is an example [MO9Q0]. 
We can also apply the addition chains developed for the ElGamal cryptosystem 
over finite fields [Gor98]. 


5.1. Scalar Multiplication 
Let d be an n-bit integer and P be a point of the elliptic curve E(k). A standard 
way for computing the scalar multiplication dP is to use the binary expression of 
d = dy_12"-1 + dn_22”-7 +--+ + di2 + do, where dp_1 = 1 and d; = 0,1 (i = 
0,1,...,n—2). Then the following binary method computes dx P efficiently. We call 
these methods the binary methods (or the add-and-double methods). On average 
they require (n — 1) ECDBLs + (n — 1)/2 ECADDs. 

Scalar Multiplication using Binary Method 

INPUT d, P, (d{k — 1],...,d[1], d[0]), dik — 1] =1 


OUTPUT dP 

(Left-to-Right) (Right-to-Left) 

1. Q{0] = P 1. Q[0] = P,Qf1] =0 

2. for i= k — 2 down to 0 2.for7=Otok—-1 

2.1. Q[0] = ECDBL(Q[0]) 2.1. Q[1] = ECADD(Q{[]], d[t]Q[0}) 
2.2. Q[0] = ECADD(Q(0], d{iJP) 2.2. Q[0] = ECDBL(Q(0)) 

3: return Q/[0] 3. return Q[1] 


The main difference between right-to-left and left-to-right algorithm is the 
treatment of ECADD. The left-to-right algorithm utilizes the ECADD with the 
base point P, so that the Z-coordinate of ECADD is always one. On the contrary, 
the Z-coordinate of the input point used for the ECADD of right-to-left algorithm 
is not one. Therefore, the running time using the left-to-right algorithm achieves 
faster computation time. 


Width-w Non-Adjacent Form. The fastest method with less memory is the width- 
w non-adjacent form (NAF). The width-w NAF represents an n-bit integer d = 
eo dw [t]2’, where d,,[i] are odd integers with |d,,[i]| < 2”~* and there are at 
most one non-zero digit among w-consecutive digits. In order to compute the scalar 
multiplication we pre-compute the table with points P,3P,...,(2”~!—1)P, which 
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has 2”? points including base point P. The points with the opposite sign are 
generated on the fly during the scalar multiplication. 


Generating Width-w NAF Scalar Multiplication with Width-w 
NAF 

INPUT An n-bit d, a width w INPUT d,[¢], P, (|dw{2]|)P 

OUTPUT dw[n], dw[n - OUTPUT dP 

1],..., dw [0] 

174-0 1. Q — dy|c]P 


for the largest c with dy 
2. While d > 0 do the following op the largest cvath Gull 70 


2.1. if d is odd then do following 2. For1=c—1 to 0 

2.1.1. d[t] — d mods 2” 2.1. Q — ECDBL(Q) 
2.1.2.d—d—d,|{i] 2.2. Q — ECADD(Q, dw [i] P) 
2.2. else dy, [2] — 0 3. Return Q 


23.d—d/2,ici+1 
3: Return dy [n], dw[n—L],..., dw [0] 


Several methods for generating the width-w NAF have been proposed 
([KT92], [MOC97], [BSS99], [Sol00]). Generating_Width-w_NAF is an algorithm that 
generates the width-w NAF proposed by Solinas [Sol00]. Notation “mods 2” at 
Step 2.1.1 stands for the signed residue modulo 2”, namely +1,+3,...,+(2”~1 
1). Note that the next (w—1) consecutive bits of non-zero bits in the width-w NAF 
are always zero. It is known that the density of the non-zero bits of the width-w 
NAF is asymptotically equal to 1/(1 + w). We show an example of non-adjacent 
form as follows: 

















binary string 1001110111100111000101101111000110101011111001 
w=2 1010001000101001001010010001001001010100001001 
w=3 10030001000003001000030010001001000300300001001 


Scalar_Multiplicationwith_Width-w_NAF is an algorithm of computing the 
scalar multiplication using the width-w NAF. It is calculated from the most sig- 
nificant bit — elliptic curve doubling (ECDBL) at Step 2.1 is executed for each bit 
and elliptic curve addition (ECADD) at Step 2.2 is executed if and only if d,,[i] is 
non-zero. Therefore we have to compute (c+ 1)-time ECDBLs and (c+1)/(1+w)- 
time ECADDs, where c is the largest integer with d,,[c] 4 0. If we choose larger 
width w, then the scalar multiplication becomes faster, but with more memory. 
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5.2. Efficient Coordinate System 


There are several ways to represent a point on an elliptic curve. The costs of com- 
puting an ECADD and an ECDBL depend on the representation of the coordinate 
system. The detailed description of the coordinate systems is given in [CM098]. 


TABLE 2. Computing times of ECADD and ECDBL 





Coordinate ECADD ECDBL 
System 


a 
a 
a 








cal 
[my ism +65 





A 
P 

J 
J 
pee 


The major coordinate systems are as follows: the affine coordinate system 
(A), the projective coordinate system (P), the Jacobian coordinate system (J), 
the Chudonovsky coordinate system (J°), and the modified Jacobian coordinate 
system (J”). We summarize the costs in Table 2, where M, S, I denotes the 
computation time of a multiplication, a squaring, and an inverse in the definition 
field K, respectively. The speed of ECADD or ECDBL can be enhanced when the 
third coordinate is Z = 1 or the coefficient of the definition equation is a = —3. 
We show the concrete algorithms for computing ECDBL’, ECDBL’**=~?, ECADD/, 
ECADD!:7—*, 














ECDBL’, 4M +6S+11A ECDBL’’**=—°, 4M +45 +4+13A 
“Toput (X1,%1, 71,4) ————~<Cs«‘“C‘< ptt 2, MV) 
Output (X2, Yo, Z2) Output (Xo, Yo, Zo) 
“Ra —X1,R5 —Vi,Re —% “Ra MX, Rs HN, Re HT 
Ri — R? Ro — R2 

Ro — R? Ro — Ro + Ro 

Ro — Ro+ Re R3 — Ra X Ro 

Ra — Ra X Re R3 — R3 + Rs 
Ra — Rat Ra Rz— RB 

Ry — R3 Ro — Ro+ Ro 

Ro — Ro+ Re Rs — Rs x Re 

R3 — RB Rs — Rs + Bs 

R3 — R3 Re — R2 

Re — Rs x Re Ra -— Ra + Ro 

Re — Re + Re Re — Re + Re 
R5— Ri t+ Ri Re — Ra — Re 

Ri — Ri + Rs Ra — Ra x Reo 
R3-—ax Rg Re -~ Rat+ Ra 

Ri ~ Ri t+ Rs Ra — Ra + Re 

R3 — R? Re — Rj 

Rs — Ra + Ra Re — Re — Rg 

Rs — R3 — Rs Re — Re — Rg 

Ra — Ra — Rs R3 — Rg — Re 

Ry — Rx Ra Ra — Ra x R3 

Ra — Ri — Ro Ra — Ra — Ro 








X22 Rs, Y2 Ra, Z2 — Reo X2 Rs, Y2 <— Ra, Zo. — Rs 
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ECADD’, 12M +4S+7A EcADD’’71=1, 8M +3S+7A 
Input (X1, Y1, 21, X2, Yo, Z2 Input (X1, Y1, X2, Ya, Ze 
Output (X3, Y3, Z3) Output (X3, Y3, Z3) 

Re X1, R3 Yi, R4 Z1 Re x1, R3 Yi, Rs x2 
Rs — X2,Reo — Y2,R7 — Ze Re — Y2,R7 — Ze 

Ri — R? Ri -~ R 

Ro— Rox Ri Ro— Rox Ri 

R3 — R3 x Rz R3 — R3 x R7z 

R3 — Rg x Ri R3 — R3 x Ri 

Ri — Ri Rs — Rs — Re 

Rs — Rs xX Ri Rz— Rs x Rz 

Re — Re x Ra Re — Re — R3 

Re — Re x Ri Ri — R2 

Rs — Rs — Rez Ra — RG 

Rz— Ra x Rz Ro<-— Rox Ri 

R7z — Rs x R7z Rs — Ri X Rs 

Re — Re — Rg Ra — Ra — Rs 

Ri — R2 Ri — Ro+ Ro 

Ra — Re Ra — Ra — Ri 

Ro— Rox Ri Ro — Ro—- Ra 

Rs — Ri x Rs Re — Re x Re 

Ra — Ra — Rs Ri — R3 x Rs 

R, — Ro+ Reo Ri -— Re — Ri 


Ra — Ra—- Ri 
Ro — Ro—- Ra 
Re — Re X Reo 
R, — R3 xX Rs 
Ri -— Re — Ri 


X3 — Ra, ¥3 — Ri, Z3 — Rz X3 — Ra, Y3 — Ri, Z3 — Rz 








6. Side Channel Attacks on ECC 


In this section we describe several side channel attacks on ECC. 


6.1. SPA on ECC 

The SPA observes the power consumption of devices, and detects the difference 
of operations using the secret key. The scalar multiplication using binary method 
(ECC binary method) is vulnerable to the SPA. The scalar multiplication is com- 
puted by the addition formula, namely ECDBL and ECADD, based on the bit 
of the secret scalar. The operation ECADD in ECC binary method is computed 
if and only if the underlying bit is 1, although the operation ECDBL is always 
computed. The addition formula is assembled by the basic operations of the def- 
inition field (See Section 5.2). There are differences between the basic operations 
of ECDBL and those of ECADD. Thus the SPA attacker can detect the secret 
bit. In order to resist the SPA, we have to eliminate the relations between the bit 
information and their addition formula. 

Double-and-add-always method. Coron proposed a simple countermeasure, which 
is called as the double-and-add-always method [Cor99]. The double-and-add-always 
method is described as follows: 
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Double-And-Add-Always Method 

Input: d= (dn—1 Tet dido)2, Pe E(K) (dn—1 = 1) 
Output: dP 

1. Q[0] — P 

2. For i = (n — 2) down to 0 do: 

2.1. Q[0] — ECDBL(Q/0}) 

2.2. Q[1] — ECADD(Q[0], P) 

2.3. Ql] — Qlai 

3. Return(Q/0}) 


The double-and-add-always method always computes ECADD whether d; = 0 or 
1. Therefore, attackers cannot guess the bit information of d using SPA. 


6.2. DPA and Countermeasures 


The differential power analysis (DPA) observes many power consumptions and 
analyze these information together with statistic tools. Even if a method is secure 
against SPA, it might not secure against the DPA. The DPA attacker tries to guess 
that the computation cP for an integer c is performed during the exponentiation. 
He/She gathers many power consumptions cP; for i = 1,2,3,..., and detects the 
spike arisen from the correlation function based on the specific bit of cP;. The 
DPA can break the binary method, because the sequence of points generated by 
the binary method is deterministic and the DPA can find correlation for a specific 
bit. 

Coron pointed out that it is necessary to insert random numbers during the 
computation of dP to prevent DPA [Cor99]. The randomization eliminates the cor- 
relation between the secret bit and the sequence of points. The standard random- 
ization methods are Coron’s 3rd [Cor99] and Joye-Tymen countermeasures [JTO1]. 
The main idea of these countermeasures is to randomize the base point before 
starting the scalar multiplication. If the base point is randomized, there is no cor- 
relation among the power consumptions of each scalar multiplication. The DPA 
cannot obtain the spike of the power consumption derived from the statistical tool. 
We describe the two standard randomization in the following. There are other DPA 
countermeasures (e.g. randomized window methods [Wal02a, TYTT02], etc), but 
in this paper we aim at investigating the security of Coron’s 3rd and Joye-Tymen 
countermeasures. 


Coron’s 3rd Countermeasure. Coron proposed three countermeasures against 

DPA for elliptic curve cryptosystems [Cor99]. But, Okeya and Sakurai pointed 
out that only his 3rd countermeasure was secure against DPA [OS00]. This coun- 
termeasure is based on randomization of Jacobian coordinates. To prevent DPA 
we transform P = (x,y) in affine coordinate to P = (r?z : r3y : r) in Jaco- 
bian coordinates for a random value r € K*. This randomization produce the 
randomization in each representation of point and the randomization of power 


consumption during scalar multiplication dP. 
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Joye-Tymen Countermeasure. Joye-Tymen countermeasure uses an isomorphism 
of an elliptic curve [JTO1]. For a random value r € K*, an elliptic curve E: y? = 
x + ax +b and the point P = (x,y) can be transformed to its isomorphic class 
like E’: y!* = a! +a’! +0 for a’ = rta, W! = r8b and P! = (2',y') = (r2a,r3y). 
Instead of computing dP, we compute Q! = dP’ = (xq ,yq’) on E’ and then 
pull back Q = (rg,yq) by computing zg = r-*xq and yg = r-3yqr. This 
countermeasure can hold the Z-coordinate equal to 1 during the computation of 
dP’ and it enables good efficiency. 


6.3. Goubin’s Power-Analysis Attack 


Goubin proposed a new power analysis using a point that cannot be randomized 
by neither Coron’s 3rd nor Joye-Tymen countermeasure [Gou03]. Goubin focused 
on the following two points: (x,0) and (0,y). The points (,0) and (0, y) are rep- 
resented by (X :0: Z) and (0: Y : Z) in Jacobian coordinates. Even these points 
are randomized by Coron’s 3rd countermeasure, one of the coordinate remains 
zero, namely (rX : 0: 7rZ) and (0: rY : rZ) for some random integer r € K™*. 
Similarly Joye-Tymen randomization cannot randomize these points. Therefore, 
the attacker can detect whether the points (x,0) or (0,y) are used in the scalar 
multiplication using the DPA. 

The attacker can break the secret scalar using these points as follows: We 
can compute P = (c~' mod #£)(0,y) for give scalar c, because the order of the 
curve #F is prime. If the scalar multiplication computes the point cP = (0,y), 
the power consumption of the next step is always significantly different from the 
others. Thus the DPA can detect whether cP is computed or not for the scalar c 
during the scalar multiplication. The attacker can obtain the whole secret scalar 
by recursively applying this process. 

Goubin’s attack is effective on the curves that have points (z,0) or (0,y). 
The point (x, 0) is not on the curves with prime order (4 2), because the order of 
the point (x,0) is 2. The point (0, y) appears on the curve if b is quadratic residue 
modulo p, which is computed by solving y? = b. 


7. Zero-Value Point Attack on ECC 


In this section, we explain the zero-value point attack (ZVP attack). The ZVP 
attack is an extension of Goubin’s attack, and it utilizes the auxiliary register which 
takes the zero-value in the definition field. We investigate the zero-value registers 
that are randomized by neither Coron’s 3rd nor Joye-Tymen countermeasure. 

The addition formula is assembled by the operations of the base field, namely 
the multiplication and the addition. We have about 20 different operations of the 
auxiliary registers for both ECDBL and ECADD (See the addition formula in 
Appendix A WHERE IS?). There are a lot of possibilities that the value of the 
auxiliary registers become zero. The zero-value registers of the ECDBL and those 
of the ECADD are quite different. We examine all possible operations that take 
zero in the auxiliary registers. 
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We show several criteria, with which the ZVP attack is effective — the attack 
is strongly depending on the implementation of the addition formula. We list up 
all possible security conditions and we discuss their effectiveness. Moreover, we 
demonstrate the attack is effective on several standard curves. 


Outline of Attack. We describe the outline of the zero-value point attack in the 
following. The goal of the zero-value point attack is to break the secret scalar by 
adaptively choosing the base point Q. We assume that the scalar multiplication is 
computed by the binary method. But, we can apply our zero-value point attack 
to the SPA countermeasures using the deterministic addition chain described in 
section 3.1. The attacker breaks the secret key from the most significant bits. The 
second most significant bit d,-2 can be broken by checking whether one of addi- 
tion formulae ECDBL(2Q), ECADD(2Q, Q), ECDBL(3Q), and ECADD(3Q, Q) 
is computed. If we can generate the zero-value register for these addition for- 
mulae, we can detect the second most bit — dn—2 = 0 holds if ECDBL(2Q) or 
ECADD(2Q, Q) has the zero-value register, and d,—2 = 1 holds if ECDBL(3Q) or 
ECADD(3Q, Q) has the zero-value register. 

Next, we assume that (n — i—1) most significant bits (d,_1,--- ,di41)2 of d 
are known. We can break the i-th bit d; by checking whether one of ECDBL(2kQ), 
ECADD(2kQ, Q), ECDBL((2k + 1)Q), and ECADD((2k + 1)Q, Q) is computed, 
where k = ay d;2J~*—'. We know that d; = 0 holds if ECDBL(2kQ) or 
ECADD(2kQ,Q) has the zero-value register, and d; = 1 holds if ECDBL((2k + 
1)Q) or ECADD((2k + 1)Q, Q) has the zero-value register. Therefore if we find a 
point P that takes the zero-value register at ECDBL, we can use the base point 
Q = (ec! mod #E)P for some integer c for this attack. On the other hand, in 
order to use the zero-value register at ECADD, the base point Q that causes the 
zero-value register at ECADD(cQ, Q) must be found. 

Thus the attacker has to find the points Q which cause the zero-value register 
at ECDBL(cQ) or ECADD(cQ, Q) for given integer c. The ECDBL causes the zero- 
value register for a given one point Q, but the zero-value register for the ECADD 
depends on the two points Q and cQ. In this paper we call these points zero-value 
point (ZVP). 


Possible Zero-Value Points from ECDBL. We investigate the ZVP for addition 
formulae in Jacobian coordinates, but the same arguments apply to addition for- 
mulae in projective coordinates. We search the zero-value points in the following. 
We examine all auxiliary registers of the ECDBL in Jacobian coordinates. There 
are 21 intermediate values for ECDBL’, as described in Appendix A. We prove 
the following theorem. 


Theorem 7.1. Let E be an elliptic curve over a prime field Fy defined by y? = 
x3+axr+b. The elliptic curve E has the zero-value point P = (a, y) of ECDBL’(P) 
if and only if one of the following five conditions is satisfied: 

(ED1) 3x2 +a =0, 

(ED2) 52+ + 2ax? — 4br + a? = 0, 
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(ED4) 2(P) = 0 or 2(2P) = 0, and 

(ED5) y(P) =0 or y(2P) = 0. 
Moreover, the zero-value points are not randomized by Coron’s 3rd or Joye-Tymen 
randomization. 


Conditions (ED4) and (ED5) are exactly those of Goubin’s attack. 

We will prove this theorem in the following. Let P, = (X, : Yi : 2), and 
P3 = (X3 : Y3 : Z3) = ECDBL’(P,). The intermediate values of ECDBL can be 
zero if and only if one of the following value is zero. 


X1,V1, 21, X3, Y3,M,-S + M?,S —T 


Here Z, = 0 implies P = O, which never appears for input of ECDBL’(P). The 
conditions X; = 0, Y; = 0, X3 = 0, and Y3 = 0 are equivalent to z(P) = 0, 
y(P) = 0, #(2P) = 0, and y(2P) = 0 which are exactly the points discussed by 
Goubin. Next M = 3X?+aZ} =0 implies the condition 3x? + a = 0, which is the 
condition (ED1). Note that neither Coron’s 3rd nor Joye-Tymen randomization 
can randomize the points. Indeed the randomized point (X{: Z{) = (r?X1:7rZ1) 
by Coron’s 3rd randomization satisfies 3X/? + aZj? = r4(3X? + aZ}) = 0, where 
r € K*. The randomized point (X{/ : Z{/) = (s?X1 : Z) and curve parameter a” = 
s‘a by Joye-Tymen randomization satisfies 3X{/? + a’ Z{/* = s4(3X? + aZ}) = 0, 
where s € K*. The condition —S + M? = 0 implies —4X,Y? + (3X7? +aZ})? =0, 
which is equivalent to —4ay? + (32? + a)? = 0, namely condition (ED2). The 
condition S — T = 0 implies x; = x3. This occurs only if 2P = +P, which means 
P =O or the order of P equals to 3, namely condition (ED3). 


(ED3) the order of P is equal to 8, 
( 
( 





Remark 7.2. In order to obtain T = —2S + M? we computed with the following 
ordered additions W = —S + M? and then T = W — S.If we compute —2S and 
then —2S + M?, condition (ED2) does not appear in the ECDBL. Thus we should 
avoid the former order of the two additions for the implementation of ECDBL. 


Possible Zero-Value Points from ECADD. We investigate the possible zero-value 
points from ECADD, namely all possible zero-value points P which satisfies 
ECADD (cP, P) for some integer c. There are 23 auxiliary values in the ECADD. 
We examine the addition formula in Jacobian coordinates. We prove the following 
theorem. 


Theorem 7.3. Let E be an elliptic curve over prime field Fy) defined by y? = 2° + 
ax+b. The elliptic curve E has the zero-value point P = (x,y) of ECADD’ (cP, P) 
for some c€ Z if and only if one of the following seven conditions is satisfied: 
EA1) P is a y-coordinate self-collision point, 

) (cP) + 2(P) =0, 
EA3) «(P) — 2(cP) = MP, eb)é 

) 20(eP) =P eR) ger) = XP eR ls or a Py ALP CP), 

) the order of P is odd, 

) a(cP) = 0, a(P) = 0, or x((e+1)P) =0, and 
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(EAT) y(cP) = 0, y(P) = 0, or y((c+ 1)P) = 0. 
Moreover, the zero-value points are not randomized by Coron’s 3rd or Joye- Tymen 
randomization. 


A point P = (a,y) is called the y-coordinate self-collision point if there is 
a positive integer c such that the y-coordinate of the point cP is equal to y. 
Conditions (EA6) and (EA7) are those of Goubin’s attack. 

Let P, = (Xy : Y, : Zi), Py» = (Xo : Y : 22), and ECADD/ (P,, P2) = (X3 : 
Y3 : Z3). Here we can set P, = cP2 for some integer c. If one of the following values 
is zero, at least one of the intermediate values must be zero. 


X1,¥1, 21, X2, Yo, Zo, X3, Y3, A, R, U,H? > X3. 


Here if one of X1, Yi, X2, Y2, X3, Y3 is zero, this provides conditions (EA6) and 
(EA7). Z, = 0, Z. = 0 and H = 0 imply P; = O, P2 = O, and P,; = +Py, respec- 
tively, which never appear for input of ECADD/(P,, P2). Next, R = Y,Z3—Y2Z3 = 
0 implies y; = y2, where y; = Y;/Z}? and yo = Y2/Z§, namely condition (EA1). 
This is equal to the y-coordinate collision point. Note that neither Coron’s 3rd 
nor Joye-Tymen randomization can randomize the points. Indeed the randomized 
point (Yj: Z{) = (r?¥1 : rZ1), (Ys : Z) = (s? Yo: sZ2) by Coron’s 3rd random- 
ization satisfies Y/Z53 — Y3Z/3 = r3s3(Y¥1Z3 — Y2Z3) = 0, where r,s € K*. The 
randomized point (Y/" : Zi!) = (t8Y1 : 21), (Y3' : ZY) = (t8Y2 : Z2) by Joye-Tymen 
randomization satisfies Y{/Z43 — Y3/Z/3 = t3(¥1Z3 — YoZ?) = 0, where t € K*. 
Finally U, H? — X3 = 0 implies 3U, H? + H?® — R? = 0, which is x; — x3 = 0. This 
occurs only if (c+ 1)P = +cP, which means P = O or the order of P equals to 
2c+ 1, namely condition (EA5). 

The other possible intermediate values appear only at the computation of 
X3 = —H? — 2U,H? + R?. For ECADD? in Appendix A, we compute —H? + R?, 
but we can differently implement it. Indeed, we have 6 possible intermediate values: 

(al) —H? — 2U, H?, 








We examine these conditions in the following. These above points are ran- 
domized by neither Coron 3rd nor Joye-Tymen randomization. Condition (al) 
implies H(X2Z? + X,Z3) = 0, namely H = 0 or 21 + 22 = 0 in affine coordinate. 
The condition H = 0 has already appeared in the multiplicative ZVP. x1 +22 = 0 
implies x(cP) + «(P) = 0, which is equal to condition (EA2). Condition (a2) im- 
plies -2X4Z2(X2Z? — X1Z2)? + (Y2Z3 — Y,Z3)? = 0, which is 2x1 = )? in affine 
coordinate. It is condition (EA4). Condition (a3) implies —(X2Z? — X1Z3)? + 
(Y2Z3 — Y,Z3)? = 0, which is v2 — 1 = X(P2, P,)*, namely condition (EA3). 
Condition (a4) implies H = 0 or U2 = 0, which was discussed in the multiplication 
case. Condition (a5) is converted to —X1Z3(X2Z?—X1Z3)? +(Y2Z7-Y Z3)? =0, 
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which is z; = 2? in affine coordinate. It is equal to condition (EA4). Condition 
(a6) implies —(X2Z? — X1Z3)> — X1Z3(X2Z? — X1Z3)? + (Y2Z} — 1 Z3)? = 0, 
which is 72 = A(P2, P,)? in affine coordinate. It is equal to condition (EA4). 


Remark 7.4. If we implement the addition —H*—2U, H?+ R? with either condition 
(al), (a2), or (a3), then conditions (a4), (a5), and (a6) never appear in the ECADD. 
Condition (al), (a2), and (a3) never simultaneously are satisfied — only one of 
them can be occurred. For example, the implementation of ECADD in Appendix A 
uses (a3), and thus the other conditions will never appear. The security of ECADD 
against the zero-value point attack strongly depends on its implementation, and 
we should care how to implement it. 


How to Find the ZVP. We discuss how to find the ZVP described in the previous 
sections. A zero-value point is called as non-trivial, if the order of the point is 
smaller than that of the curve. The standard curves over prime fields have prime 
order, i.e., the orders of these elliptic curves are always prime and there are no non- 
trivial ZVP on them. We know that the Goubin’s point can be easily computed. 
In the following we discuss the non-trivial ZVP that is different from the Goubin’s 
points. 

First we discuss the non-trivial ZVP from the ECDBL. There are two non- 
trivial points (x,y) such that 

(ED1) 327+ a=0, 

(ED2) 52+ + 2ax? — 4br + a? = 0. 

The solution of these polynomials over finite fields can be easily computed 
using the Cantor-Zassenhaus algorithm [Coh94]. 

Next we discuss the non-trivial ZVP from the ECADD. The existence con- 
ditions of these points are determined by not only one base point P but also the 
exponent c. In order to find these ZVP we have to know how to represent the 
relation between P and cP, for example, x(cP) + x(P) = 0. Izu and Takagi dis- 
cussed a similar self-collision for Brier-Joye addition formula [IT03]. Here we can 
similarly apply their approach for finding the ZVP. We explain it in the following. 
Let P = (a,y) be the point on the elliptic curve. The division polynomial ~(P), 
(P), w(P) is a useful tool for representing these relationships as the polynomials 
over definition field K. The point cP can be represented as follows: 


p= (s(P) wl) 
We(P)’ ¥3(P) 
where c is a scalar value (See for example, [Sil86]). For small c, we know 7,(P) = 
1, Y2(P) = 2y, and #3(P) = 3x4 + 6ax? + 12bx2 — a?, where P = (a, y). We define 
ge = xy? — We-1We41 and 4ywe = Vo42P2_1 am Wo-2e41- 

For example, the points P = (x,y) which satisfy x(cP) + «(P) = 0 are the 
solutions of ¢-(P) + 2(P)v?(P) =0. The points P = (x,y) with 2(P) — x(cP) = 
d(P, cP)? are the solutions of polynomial (x(P)w2(P) — $-(P))? = (y(P)W3(P) — 
w-(P))?. Similarly we can construct the equations whose solutions imply the ZVP. 
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The polynomials 7.(P),we(P),¢-(P) have degree with order O(c”), which in- 
creases exponentially in log c. Therefore, it is a hard problem to find the solutions 
of these equations for large c — we can find the ZVP only for small c using the 
division polynomials. It is an open problem to find a more efficient algorithm of 
computing the ZVP. 

ZVP on Standard Curves. We have examined the existence of several ZVP over 
the SECG [SECG] random curves over prime fields. Especially we discuss the non- 
trivial conditions from ECDBL’, namely (ED1) 32? + a = 0, (ED2) 5a* + 2aa? — 
4bx + a? = 0. These conditions are most effectively used for the zero-value point 
attack. We have found enough curves which have the points with condition (ED1) 
or (ED2). In Table 1 we summarize the existence of these points. Notation ‘o’ 
means that the curve has the point with one of the aforementioned conditions. For 
comparison we also show point (0,y) used in Goubin’s attack in Table 1. Some 
curves, e.g., secp112rl1, secp224r1, are secure against the Goubin’s attack, but not 
against ours. SECG secp224rl is insecure only against condition (ED2). 


TABLE 3. The existence of non-trivial ZVP of ECDBL’ 


| (.y) | (EDI) | (ED2) 





Countermeasure using Isogeny. In order to resist Goubin’s attack, Smart proposed 
a countermeasure using isogeny of elliptic curve [Sma03]. 

Let ®)(X,Y) be a modular polynomial of degree |. Two elliptic curves 
E\(a1, 61) and E(a2, bz) are called l-isogenous if and only if ®;(j1, 72) = 0 satis- 
fies, where j; are j-invariant of curve E; for 1 = 1,2. Isogenous curves have the 
same order. The isogeny is given by 


Ey — Ey 
y: fi(z) y-fa(z) ) ’ 


where fi, f2 and g are polynomials of degree 1, (31—1)/2 and (J—1)/2 respectively 
(see details in [BSS99, Chapter VII]). By Horner’s rule, the computational cost of 
this mapping is estimated as (+ (31 — 2)/2+ (1—1)/2+5)M+J] = (31+4)M +1. 

Smart proposed that if the original curve E has the point (0, y), the isogenous 
curve E” to E could have no point (0,y). If we can find E” which has no point 
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(0, y), we transfer the base point P € E to P’ € E’ using the isogeny w: E > E’. 
Instead of computing scalar multiplication Q = dP, we compute Q’ = dP’ on E’ 
and then pull back Q € E from Q’ € E’ by the mapping ~~! : E’ — E. The 
mappings w, wv! require (31+ 4)M +I respectively, so that the additional cost for 
this countermeasure is (61 + 8)M + 21. This countermeasure with a small isogeny 
degree is faster than randomizing the secret scalar d with the order of the curve. 

It is a further research topic to investigate the isogenous curve that are secure 
against ZVP attack. 


7.1. Non-Zero Digit Methods 


In this section we explain three approaches that resist the SPA. The first one is 
the Montgomery-type method, which always computes both ECADD and ECDBL 
for bit information d;. It was originally proposed by Montgomery [Mon87], and 
enhanced the Weierstrass form of elliptic curves over K ({IT02, IBT02, BJ02, 
FGKS02]). The second one is to use an indistinguishable addition formula, with 
which we can compute both ECDBL and ECADD ([{BJ02, CJO1]). The third one 
is to use the addition chain with fixed pattern with pre-computed points ({M6l01, 
OTO3al). 


7.2. Montgomery Ladder Method 


We explain the scalar multiplication using Montgomery ladder in the following. 
The algorithm improved on the addition chain and the addition formula. Both 
improvements are based on the scalar multiplication by Montgomery [Mon87]. 
However, we firstly point out that the addition chain is applicable for not only 
Montgomery form curves but any type of curves. We also establish the addition 
formulas, which only use the z-coordinate of the points, for the Weierstrass form 
curves. 
Scalar Multiplication using Montgomery Ladder. We describe the scalar multipli- 
cation using Montgomery ladder in the following: 

Scalar Multiplication using Montgomery Ladder 

Input: d = (dn_1---dido)2, PE E(K) (dn-1 = 1) 

Output: dP 

1. Q[0] — P,Q[1] — 2P 

2. For i = (n — 2) down to 0 do: 

2.1. Q[2] = ECDBL(Q|d{i]]) 

2.2. Q[1] = ECADD(Q0], Q[1]) 

2.3. Q[0] = Q[2 — d[i] 

2.4. Q[1] = Q[1 + di] 

3. return Q[0] 


For each bit di], we compute Q[2] = ECDBL (Q[d[i]]) in Step 2.1 and Q[1] = 
ECADD(Q[0], Q[1]) in Step 2.2. Then the values are assigned Q[0] = Q[2], Q[1] = 
Q[1] if d[é] = 0 and Q[0] = Q[1], Q[1] = Q[2] if d[z] = 1. We prove the correctness 
of the Montgomery ladder algorithm in the following. 
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Theorem 7.5. The scalar multiplication using Montgomery ladder, on input a point 
P and an integer d > 2, outputs the correct value of the scalar multiplication dx P. 


Proof. When we write Q[0], Q[1], it means that Q[0] in Step 2.3 and Q[1] in Step 
2.4 of Montgomery ladder in the following. The loop of Step 2 generates a sequence 


(Q[0], Q[1])n—2, (Q[0], Q[1])n—s,---,(Q[0], Q[1])1,(Q[0],Q[1])o, (7-1) 
from the bit sequence d[n — 2], d[n — 3],...,d[1],d[0]. At first we prove Q[1] = 
Q [0] + P for each (Q[0], Q[1])i,2 = 0,1,...,2—2, by the induction for the number 
of the sequence. For n = 2 we have only one loop in Step 2 and we have two 
cases d[0] = 0 or 1. Then we obtain Q[0] = 2 « P,Q[1] = 3« P for d[0] = 0, and 
Q[0] = 3 * P,Q[1] = 4* P for d[0] = 1. The fact Q[1] = Q[0] + P is correct for 

= 2. Next, we assume that Q[1] = Q[0] + P up to n = k. In this case we have 

1] = R[0] + P, where (Q[0], Q[1])1 = (R[0], R[1]). For n = k + 1 we also have 
two cases d[0] = 0 or 1. Then we obtain Q[0] = 2 * R[0], Q[1] = 2 * RO] + P for 
d[0] = 0, and Q[0] = 2 * R[O] + P,Q[1] = 2* RO] + 2* P for d[0] = 1. The fact 
Q[1] = Q[0] + P is correct for n = k+1. Thus we proved that Q[1] = Q[0] + P for 
each (Q[0], Q[1]);,¢ =0,1,...,n—2. 

Next, we prove that Q[0] is equivalent to Q[0] in Step 3 of left-to-right bi- 
nary method (Q[0] in Step 2.1 of the double-and-add-always method) for each 
loop of d[i], (¢ = 0,1,...,2— 2). In each loop of d[z], for given Q[0], Q[1], the new 
Q|0] is computed as follows: ECDBL(Q[0]) for d[i] =0 and ECADD(Q(0], Q[1]) = 
Q[o] + (Q[0] + P) = 2« Q[0] + P = ECADD(ECDBL/(Q[0]), P) for d[é] = 1. 
On the other hand, in each loop of d[i] in the left-to-right binary method, for 
given Q[0], the new Q[0] is computed as follows: ECDBL(Q/[0]) for d[z] = 0 and 
ECADD(ECDBL(Q[0]), P) for d[i] = 1. They are completely the same computa- 
tions. Thus we can conclude that the output d* P is correct. 




















Montgomery ladder requires one ECDBL in the initial Step 1, and (n — 1) 
ECDBLs and (n — 1) ECADDs in the loop. The computation time of the loop is 
same as that of double-and-add-always method. 


Remark 7.6. Scalar multiplication using Montgomery ladder does not depend on 

the representation of elliptic curves, and it is applicable to execute a modular 

exponentiation in any abelian group. Therefore the RSA cryptosystem, the DSA, 

the ElGamal cryptosystem can use the Montgomery ladder. 

Addition formula. Let F be an elliptic curve defined by the standard Weierstrass 

form (5.1) and Py = (#1,y1), Po = (%2,y2), Ps = Pi + Po = (#3,y3) be points 

on E(k). Moreover, let P§ = P, — Po = (x5, y5). Then we obtain the following 

relations: 

(2122 — a)? — 4b(x1 + 22) 2(x1 + 2)(x1%2 + a) + 4b 
(x1 — £2)? (21 — £2)? 

On the other hand, letting Py = 2 * P; = (a4, y4) leads to the relation 


(x? — a)? — 8bay 
= 7.3 
a A(a? + ax, + b) oe 


23°24 = ,t3+25= (72) 
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Thus the x-coordinates of both P; and Py, can be computed just from the z- 
coordinates of the points P,, P2, P3. We call this method the multiplicative (addi- 
tive) x-coordinate-only method. The z-coordinate-only methods for a scalar mul- 
tiplication were originally introduced by Montgomery [Mon87]. However, his main 
interest was to find a special form of elliptic curves on which the computing times 
are optimal. The additive method was not discussed in his paper. 

In the projective coordinate system, equations (7.2) and (7.3) turn to be 


Te Zs (X1X_q -— aZ1Z2)? — 4bZ,Zo(X1 Zo + X2Z1) (7.4) 
Zs a (Reh = oF? 
X3 _ 2(X1Z + X2Z1)(X1X2 + aZZ2) + AbZ2Z2 7” X43 (7 5) 
Z3 (X23 — XoF1)2 Zz 
X4 (XP? -aZ})? — 8X1 Z} (7.6) 
Ze A(X Z,(K? + aZ?) +624) 


The computing times for (7.4),(7.5),(7.6) are ECADDS*) = 9M +25, Ecapps” = 
10M +28, ECDBL“) = 6M +38. If 7 = 1, the computing times are reduced to 
ECADD\"/,,,_1) = ECADD((),,_1) = 8M +25. 

When we use the x-coordinate-only methods, we need the difference of two 
points P; = P, — P2. This may be a problem in general, but not in Montgomery 
ladder. In each loop of Montgomery ladder, the two points (Q[0], Q[1]) are simul- 
taneously computed and they satisfy the equation Q[1] — Q[0] = P, where P is a 
base point of the scalar multiplication. Therefore, we can assume that the differ- 
ence P, — P, for input values of ECADD(P,, P2) of Montgomery ladder are always 
known. On the contrary, in order to know that of double-and-add-always method 
we need extra computation. The x-coordinate-only methods for double-and-add- 
always method have no computational advantage. 


Y-Coordinate Recovering. When we apply the z-coordinate-only methods to the 
Montgomery ladder, the output is only the x-coordinate of d* P. This is enough 
for some cryptographic applications such as a key exchange scheme and an en- 
cryption/decryption scheme [SECG]. But other applications also require the y- 
coordinate of d* P in the verification of a signature scheme [SECG]. However, 
the y-coordinate of d* P is easily obtained in the following way: The final val- 
ues of Q[0], Q[1] in Montgomery ladder are related by Q[1] = Q[0] + P. Let 
P = (21, y1), Q[0] = (x2, y2), Q[1] = (x3, y3). Here known values are 21, yi, £2, 3 
and the target is yo. Using a standard addition formula (2), we obtain the equation 
yo = (2y1) 1 (yf +a3t+axe+b—-(x1—2x2)?(x1 +224 23)). This y-recovering technique 
was originally introduced by Agnew et al. for curves over Fym [AMV93]. In the 
projective coordinate, we show an algorithm that computes dP = (X/,: Yj : Z)) 
for input Xq, Za, Xa+1, Za41, P = (x,y), where x(dP) = Xa/Za,x((d + 1)P) = 
Xa+i/Za+1. It requires 11M +25 +4+7A and 7 auxiliary variables. 
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YRecovering, 11M +2S+7A 
Input (Xq, Za, Xa41, Za41,2,y, 4,6 
Output (X/,, Yj, 24) 

Ri — Xq, Ro — Za, Rg — Xa41, Ra — Zar 
Rs —2«zx Ro 

Re — Rs — Ri 

Ro — RE 

Re — R3 Xx Re 

R5— Rs + Ri 

Rz —-— zx Ri 

Ri — Ri x Ro 

R3 —ax Ro 

Ry — R3 

R7— R3 + Rr 

Rz— Rs x Rz 

Rs—yx Ra 

Rs — Rs + Rs 

R3— Rs x Ro 

Ri — Rs x Ri 

Ro—bx Re 

Ro — Ro + Re 

R7,— R7 + Re 

R7z— Ra x Rz 

R7 — R7 — Re 


Re Re Vi ene oi Bs 














Formula xECADDDBL. In the above ladder, ECADD and ECDBL are computed 
separately. For performing SCA-resistant scalar multiplication efficiently, Izu et 
al. [IBT02] encapsulated these formulae into one formula xECADDDBL, which out- 
puts x-coordinate values of P3 = P, + Po and Py = 2P, on inputs P,, P2. In 
fact, with a projective version of the x-coordinate-only formulae, we can compute 
X3,23,X4, Z4 with 183M +45+18A for a ¢ —3 and 11M +494 23A for a = —3. 
The number of auxiliary variables for the formulae is 7. 
The scalar multiplication used for formula xECADDDBL is as follows: 

Improved Scalar Multiplication using Montgomery Ladder 

Input: d = (dn_1---dido)2, PE E(K) (dn-1 = 1) 

Output: dP 

1. Q[0] — P,Q[1] — ECDBL(P) 

2. for i = n — 2 down to 0 

2.1. (Q[d[i] ® 1], Q[d[z]]) = zECADDDBL(Q|d[i]], Q[d[t] ® 1]) 

3. return Q[0] 


Timing. In order to demonstrate the efficiency of xECADDDBL, we implemented 
the 160-bit scalar multiplication using xECADDDBL and the previously fastest 
algorithm on a Celeron 500 MHz using the LiDIA library [LiDIA]. It should be 
emphasized here that our implementation was not optimized for cryptographic 
purposes — it is only intended to provide a comparison. The improvement is 
about 15%. The results are as follows: 
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TABLE 4. Computing times of 160-bit ECC on a Celeron 500 MHz 


Double-and-Add-Always/Joye-Tymen | 25.5 ms 
xECADDDBL /Joye-Tymen 21.5 ms 




















xECADDDBL, 13M +45 +18A xECADDDBL?=~°, 11M + 4S + 23A 
“Tnput (X71, 271, X32, 22,2, a,b) nput (X1, Z1, X2, 22,2, 
Output (X3, 23, Xa, Za) Output (X3, 73, Xa, Za) 
Ry X71, Re 21, R3 X2 Ry X1, Re 21, R3 X2 
Ra — Zo Ra — Zo 
Re — RR, x Ra Re — Ri x Ra 
Ri, — R, x R3 Ri — Ri x R3 
Ra — Ro x Ra Ra — Ro x Ra 
Ro — R3 x Re Rg — R3 XxX Ro 
R3 — Re — Ro R3 — Re — Re 
Rs — R3 R3 — R3 
Rs —2x R3 Rs —2 xX R3 
Rr-—axk, Ri -— Ri -— Ra 
Ri, - Ri + Rr Ri -— Ri -— Ra 
Ro — Ro + Re Ri —Rhi- Rs 
Ri, — R, x Re Rz — Ro+ Reo 
R2— R}? R, — Ri x Re 
R7— bx Re Rz— R? 
Ri, -—R,+ Rr R7—bx Ro 
Ri-~ Ri +R Ri -~ Ri + Rz 
Rs — R, — Rs Ri- Ri +R 
Rs — R7 + Rs Rs — Ri — Rs 
Rs — Rr + Rs Rs — R7 + Rs 
Ro—ax Ro Rs — R7+ Rs 
Ri — R2 Ri — Ro+ Re 
Ri — Ri + Re Ri Rhi + Ri 
Ro — Ro + Ro Ro — Ro- Ry 
Ro — Ri — Re Ri — RB 
Rz — R3 Ri -~Ri+Re 
Ri, — Re x Ri Ro — Ro+ Re 
R7z— R4 x Rz Ri, — Ri — Re 
Ri — Ri +R Rz — R3 
R7z — Re x Rr Ri — Re Xx Ri 
R7— R7+ Rr R7z — R4 x Rz 
R7— R7+ Rr Ri -~— Ri + Rr 
R7— R7z+ Rr Rz — Re x Rz 
R7 — Ro —- Rz R,—R7+ Ry, 
Re — Ra x Ri R7-— R7+ Rr 
Ro — Re + Ro Rr — Rr + Rr 
Ro — Re + Ro Rr — Rz— Rr 
Re — Ra x Ri 
Re — Re + Reo 





Re — Re + Re 


X3 — Rs, Z3 — Rs X3 — Rs, Z3 — Rz 
X4 — R7,Z4 — Re X4 — R7,Z4 — Re 
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7.3. Non-Zero Window Method 


Okeya and Takagi proposed an SPA-resistant addition chain with small memory, 
which is based on the width-w NAF [OT03a]. The algorithm is as follows: 


SPA-resistant_Width-w_NAF_with_Odd_Scalar 
INPUT An odd n-bit d 

OUTPUT d,,[n], dw[n — 1],..., du,[0] 
l.r—0,7-—0,7r9 —w 

2. While d > 1 do the following 

2.1. uli] — (d mod 2”+1) — 2” 

2.2. d — (d— uli) /2” 
2.3. dw[r +r; —1] —0,dy[r +r; — 2] —0,...,du[r + 1] — 0, du [r] — uli] 
24.r—r4trny,¢+1coitlrncw 

3. dw[n] — 0,...,dwir +1] — 0, dy[r] — 1 

4. Return d[n],dy[n — 1],..., dw [0] 








The algorithm generates the SPA-resistant chain only for odd scalar, and the 
treatment for even scalar was discussed in [OT03a]. We assume that the scalar d is 
odd in the following. At Step 2.1, the integer u[#] is assigned as (d mod 271) — 2”. 
The computation assures that u[7] is odd whenever d is odd. Since d— uli] = d—(d 
mod 2”t!) +2” = 2” mod 2”*1, the resultant (d — u[i])/2” is odd. Thus, each 
integer uli] is odd. Note that d terminates with d = 1. Hence we can achieve the 
SPA-resistant chain, e.g., the fixed pattern 
| 0..0 z| 0..0 z|---|0..0 x| with odd integers |x| < 2”. 

ee YY 


w-1 w-l1 


The number of the pre-computed points is 2”~!, and the density of the non-zero 
bit is 1/w. The scalar multiplication using this chain is computed as same for the 
scalar multiplication with width-w NAF. 
We show an example of non-adjacent form as follows: 
binary string 1001110111100111000101101111000110101011111001 
w=2 10103030103030303010301030103010303010101030303 
w=3 1001007001005001001003005007001001003003007001 


Note that this scheme is optimal in respect of the memory, and the table size 
takes 2,4,8,... for w = 2,3,4,.... 
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